SQL Injection in Openbao

CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names…

Vulnerability class: SQL Injection

EPSS: 0.000 (9.8th percentile) — read the EPSS interpretation.

Affected products

Openbao — versions < 2.5.3

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3 (x_refsource_CONFIRM)