Vulnerability in Openbao
CVE-2026-33757
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker…
EPSS: 0.000 (12.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L.
Affected products
- Openbao — versions < 2.5.2
Weakness classification (CWE)
References
- https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3 (x_refsource_CONFIRM)
- https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964 (x_refsource_MISC)
- https://datatracker.ietf.org/doc/html/rfc8628#section-5.4 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-33757?
- CVE-2026-33757 is a critical-severity vulnerability in Openbao, classified under Session Fixation. CVSS score: 9.6/10. Published 2026-03-27.
- How severe is CVE-2026-33757?
- Critical severity. CVSS v3 base score is 9.6 out of 10.