XSS in Openbao

CVE-2026-33758

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS v…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.000 (10.6th percentile) — read the EPSS interpretation.

Affected products

Openbao — versions < 2.5.2

Weakness classification (CWE)

References

https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59 (x_refsource_CONFIRM)
https://github.com/openbao/openbao/pull/2709 (x_refsource_MISC)
https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662 (x_refsource_MISC)
https://github.com/openbao/openbao/releases/tag/v2.5.2 (x_refsource_MISC)