<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenBao - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openbao/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 28 May 2026 17:38:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openbao/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenBao Cross-Namespace Lease Revocation via Legacy sys/revoke Path</title><link>https://feed.craftedsignal.io/briefs/2026-05-openbao-lease-revoke/</link><pubDate>Thu, 28 May 2026 17:38:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-openbao-lease-revoke/</guid><description>OpenBao versions up to 2.5.3 allow cross-namespace lease revocation by exploiting legacy sys/revoke endpoints, potentially leading to unauthorized credential access and denial of service.</description><content:encoded><![CDATA[<p>OpenBao, a secrets management solution, utilizes namespaces for multi-tenant isolation. A vulnerability exists in versions 2.5.3 and earlier where a user in one namespace can revoke or renew leases belonging to another namespace. This is achieved by exploiting the legacy, undocumented <code>sys/revoke</code> and <code>sys/renew</code> endpoints. An attacker with knowledge of a valid lease ID from a different namespace can leverage these endpoints to disrupt service or potentially gain unauthorized access to secrets. This vulnerability, identified as CVE-2026-45808, allows bypassing of intended ACL restrictions. The issue is resolved in OpenBao v2.5.4.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to a valid lease ID from a target namespace, either through unintentional leakage or through malicious insider activity.</li>
<li>Attacker crafts an HTTP request targeting the legacy <code>sys/revoke</code> endpoint, including the stolen lease ID in the request body.</li>
<li>The OpenBao server processes the request to the <code>sys/revoke</code> endpoint.</li>
<li>Due to the legacy nature of the endpoint, ACL checks are bypassed.</li>
<li>The targeted lease is revoked, rendering any associated credentials invalid.</li>
<li>If the attacker targets the <code>sys/renew</code> endpoint, the lease will be renewed with settings controlled by the attacker.</li>
<li>The affected application or service relying on the revoked lease experiences a denial of service or disruption.</li>
<li>Depending on the targeted secrets, an attacker might gain unauthorized access to the target application or service if they were able to successfully renew the lease.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-45808 can lead to denial of service for applications relying on OpenBao-managed secrets. In multi-tenant environments, this can impact services in other namespaces, even without proper authorization. While there is no direct information disclosure, unauthorized lease revocation and renewal can interrupt legitimate operations. The severity is high because it impacts availability of critical services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenBao to version 2.5.4 or later to patch CVE-2026-45808.</li>
<li>Monitor OpenBao logs for requests to the <code>/sys/revoke</code> endpoint, which may indicate unauthorized lease revocation attempts (see Sigma rule below).</li>
<li>Implement strict lease ID handling procedures within your organization to prevent unintended leakage.</li>
<li>Consider disabling or restricting access to the <code>sys/revoke</code> and <code>sys/renew</code> endpoints through appropriate ACL policies as a temporary mitigation measure until the upgrade is complete.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>acl-bypass</category><category>secrets-management</category></item><item><title>OpenBao Reflected XSS Vulnerability in OIDC Authentication Error Message</title><link>https://feed.craftedsignal.io/briefs/2024-01-openbao-xss/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openbao-xss/</guid><description>OpenBao installations with OIDC/JWT authentication enabled and roles with `callback_mode=direct` are vulnerable to reflected XSS via the `error_description` parameter, allowing attackers to steal Web UI tokens; patched in v2.5.2.</description><content:encoded><![CDATA[<p>OpenBao, a secrets management tool, is susceptible to a reflected XSS vulnerability (CVE-2026-33758) affecting installations using OIDC/JWT authentication methods. The vulnerability specifically impacts roles configured with <code>callback_mode=direct</code>. An attacker can exploit this flaw by injecting malicious JavaScript code via the <code>error_description</code> parameter in the authentication error page. Successful exploitation grants the attacker access to the victim's Web UI token, potentially leading to unauthorized access to sensitive secrets. The vulnerability was introduced prior to version 2.5.2 and has been patched in version 2.5.2 by replacing the dynamic <code>error_description</code> with a static error message. Defenders should either upgrade or implement the described workaround immediately.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an OpenBao instance with OIDC/JWT authentication enabled and at least one role configured with <code>callback_mode=direct</code>.</li>
<li>The attacker crafts a malicious URL containing a JavaScript payload within the <code>error_description</code> parameter. Example: <code>/ui/login?error_description=&lt;script&gt;alert('XSS')&lt;/script&gt;</code>.</li>
<li>The attacker tricks a victim (e.g., an administrator logged into the OpenBao Web UI) into clicking the malicious link, perhaps via phishing or other social engineering methods.</li>
<li>The victim's browser sends a request to the OpenBao server with the malicious <code>error_description</code> parameter.</li>
<li>The OpenBao server reflects the attacker's JavaScript payload back to the victim's browser within the HTML of the authentication error page.</li>
<li>The victim's browser executes the attacker-controlled JavaScript code due to the reflected XSS vulnerability.</li>
<li>The malicious JavaScript code steals the victim's authentication token used for accessing the OpenBao Web UI.</li>
<li>The attacker uses the stolen token to authenticate to the OpenBao Web UI and gain unauthorized access to secrets.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this XSS vulnerability allows attackers to steal authentication tokens from legitimate OpenBao users. With a stolen token, an attacker can gain complete access to the OpenBao Web UI, allowing them to read, modify, or delete secrets, policies, and other sensitive configurations. This could lead to a complete compromise of the secrets management system, potentially affecting all applications and services that rely on OpenBao for their credentials. The severity is considered critical due to the ease of exploitation and high potential impact on confidentiality and integrity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenBao to version 2.5.2 or later to apply the patch that replaces the vulnerable <code>error_description</code> parameter (reference: Patches section).</li>
<li>As a workaround, remove any roles configured with <code>callback_mode=direct</code> (reference: Workarounds section).</li>
<li>Implement a web application firewall (WAF) rule to detect and block requests containing suspicious JavaScript code in the <code>error_description</code> parameter (example rule below).</li>
<li>Monitor web server logs for requests with <code>error_description</code> containing <code>&lt;script&gt;</code> or other HTML tags commonly used in XSS attacks (reference: example rule below, logsource: webserver).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>openbao</category><category>xss</category><category>reflected-xss</category><category>web-application</category></item></channel></rss>