What is CVE-2026-42186?

CVE-2026-42186 is a high-severity vulnerability in Openbao, classified under Improper Removal of Sensitive Information Before Storage or Transfer. CVSS score: 7.5/10. Published 2026-05-14.

How severe is CVE-2026-42186?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Openbao

CVE-2026-42186

OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affe…

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Openbao — versions < 2.5.3

Weakness classification (CWE)

CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer

References

security-advisories@github.com (Patch, x_refsource_MISC)
security-advisories@github.com (Product, x_refsource_MISC, Release Notes)
security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-42186?: CVE-2026-42186 is a high-severity vulnerability in Openbao, classified under Improper Removal of Sensitive Information Before Storage or Transfer. CVSS score: 7.5/10. Published 2026-05-14.
How severe is CVE-2026-42186?: High severity. CVSS v3 base score is 7.5 out of 10.