rpm package
opensuse/openbao&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweed
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46405 | — | < 2.5.4-1.1 | 2.5.4-1.1 | May 28, 2026 | ### Impact In OpenBao's Kerberos auth method on the `GET` handler, or when an `Authorization: Negotiate` header is supplied, the response is includes a `logical.Auth` object in addition to an error message. This results in tokens being created with only the default policy, defau | ||
| CVE-2026-46358 | — | < 2.5.4-1.1 | 2.5.4-1.1 | May 28, 2026 | ### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review le | ||
| CVE-2026-45808 | hig | — | < 2.5.4-1.1 | 2.5.4-1.1 | May 28, 2026 | # Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented `sys/revoke` and `sys/renew` endpoints. # | |
| CVE-2026-40264 | Low | 2.7 | < 2.5.3-1.1 | 2.5.3-1.1 | Apr 21, 2026 | OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is ad | |
| CVE-2026-39946 | Med | 4.9 | < 2.5.3-1.1 | 2.5.3-1.1 | Apr 21, 2026 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead t | |
| CVE-2026-39396 | Low | 3.1 | < 2.5.3-1.1 | 2.5.3-1.1 | Apr 21, 2026 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the nu | |
| CVE-2026-39388 | Low | 3.1 | < 2.5.3-1.1 | 2.5.3-1.1 | Apr 21, 2026 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and `disable_binding=true` is set, attempts to verify the current request's presented mTLS certificate matche | |
| CVE-2026-5807 | Hig | 7.5 | < 2.5.3-1.1 | 2.5.3-1.1 | Apr 17, 2026 | Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. | |
| CVE-2026-3605 | Hig | 8.1 | < 2.5.3-1.1 | 2.5.3-1.1 | Apr 17, 2026 | An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor | |
| CVE-2026-33758 | — | < 2.5.2-1.1 | 2.5.2-1.1 | Mar 27, 2026 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on | ||
| CVE-2026-33757 | — | < 2.5.2-1.1 | 2.5.2-1.1 | Mar 27, 2026 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and p | ||
| CVE-2025-68121 | Cri | 10.0 | < 2.5.1-1.1 | 2.5.1-1.1 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2026-24051 | Hig | 7.0 | < 2.5.1-1.1 | 2.5.1-1.1 | Feb 2, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman | |
| CVE-2025-64761 | — | < 2.4.4-1.1 | 2.4.4-1.1 | Nov 25, 2025 | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this | ||
| CVE-2025-62705 | — | < 2.4.3-1.1 | 2.4.3-1.1 | Oct 22, 2025 | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use | ||
| CVE-2025-62513 | — | < 2.4.3-1.1 | 2.4.3-1.1 | Oct 22, 2025 | OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, | ||
| CVE-2025-6203 | — | < 2.4.1-1.1 | 2.4.1-1.1 | Aug 28, 2025 | A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server | ||
| CVE-2025-55003 | — | < 2.3.2-1.1 | 2.3.2-1.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password ( | ||
| CVE-2025-55000 | — | < 2.3.2-1.1 | 2.3.2-1.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caus | ||
| CVE-2025-54996 | — | < 2.3.2-1.1 | 2.3.2-1.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their s |
- CVE-2026-46405May 28, 2026affected < 2.5.4-1.1fixed 2.5.4-1.1
### Impact In OpenBao's Kerberos auth method on the `GET` handler, or when an `Authorization: Negotiate` header is supplied, the response is includes a `logical.Auth` object in addition to an error message. This results in tokens being created with only the default policy, defau
- CVE-2026-46358May 28, 2026affected < 2.5.4-1.1fixed 2.5.4-1.1
### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review le
- affected < 2.5.4-1.1fixed 2.5.4-1.1
# Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented `sys/revoke` and `sys/renew` endpoints. #
- affected < 2.5.3-1.1fixed 2.5.3-1.1
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is ad
- affected < 2.5.3-1.1fixed 2.5.3-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead t
- affected < 2.5.3-1.1fixed 2.5.3-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the nu
- affected < 2.5.3-1.1fixed 2.5.3-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and `disable_binding=true` is set, attempts to verify the current request's presented mTLS certificate matche
- affected < 2.5.3-1.1fixed 2.5.3-1.1
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows.
- affected < 2.5.3-1.1fixed 2.5.3-1.1
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor
- CVE-2026-33758Mar 27, 2026affected < 2.5.2-1.1fixed 2.5.2-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on
- CVE-2026-33757Mar 27, 2026affected < 2.5.2-1.1fixed 2.5.2-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and p
- affected < 2.5.1-1.1fixed 2.5.1-1.1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- affected < 2.5.1-1.1fixed 2.5.1-1.1
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
- CVE-2025-64761Nov 25, 2025affected < 2.4.4-1.1fixed 2.4.4-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this
- CVE-2025-62705Oct 22, 2025affected < 2.4.3-1.1fixed 2.4.3-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use
- CVE-2025-62513Oct 22, 2025affected < 2.4.3-1.1fixed 2.4.3-1.1
OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI,
- CVE-2025-6203Aug 28, 2025affected < 2.4.1-1.1fixed 2.4.1-1.1
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server
- CVE-2025-55003Aug 9, 2025affected < 2.3.2-1.1fixed 2.3.2-1.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (
- CVE-2025-55000Aug 9, 2025affected < 2.3.2-1.1fixed 2.3.2-1.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caus
- CVE-2025-54996Aug 9, 2025affected < 2.3.2-1.1fixed 2.3.2-1.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their s
Page 1 of 2