Product
high
advisory
OpenBao Cross-Namespace Lease Revocation via Legacy sys/revoke Path
2 rules 1 TTPOpenBao versions up to 2.5.3 allow cross-namespace lease revocation by exploiting legacy sys/revoke endpoints, potentially leading to unauthorized credential access and denial of service.
openbao/openbao
vulnerability
acl-bypass
secrets-management
2r
1t
critical
advisory
OpenBao Reflected XSS Vulnerability in OIDC Authentication Error Message
2 rules 1 TTPOpenBao installations with OIDC/JWT authentication enabled and roles with `callback_mode=direct` are vulnerable to reflected XSS via the `error_description` parameter, allowing attackers to steal Web UI tokens; patched in v2.5.2.
OpenBao
xss
reflected-xss
web-application
2r
1t