{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oidc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openbao","oidc","authentication-bypass","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenBao, a secrets management tool, is vulnerable to an authentication bypass in versions prior to 2.5.2. This vulnerability stems from the lack of user confirmation when logging in via JWT/OIDC with a role configured with \u003ccode\u003ecallback_mode\u003c/code\u003e set to \u003ccode\u003edirect\u003c/code\u003e. The vulnerability allows an attacker to initiate an authentication request and trick a victim into visiting a URL, which automatically logs them into the attacker\u0026rsquo;s session. This constitutes a \u0026ldquo;remote phishing\u0026rdquo; attack because the attacker never directly interacts with the victim\u0026rsquo;s credentials. The \u003ccode\u003edirect\u003c/code\u003e callback mode interacts directly with the OpenBao API, enabling the attacker to poll for a token after the victim has been authenticated and a token has been issued. The vulnerability is tracked as CVE-2026-33757.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker configures an OpenBao role with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an OIDC authentication request, generating a unique URL.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the generated URL to the victim via phishing or other social engineering methods.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and authenticates through the OIDC provider. OpenBao automatically associates this authentication with the attacker\u0026rsquo;s session due to the \u003ccode\u003edirect\u003c/code\u003e callback.\u003c/li\u003e\n\u003cli\u003eOpenBao\u0026rsquo;s API receives a direct callback, skipping user confirmation.\u003c/li\u003e\n\u003cli\u003eOpenBao issues a token associated with the attacker\u0026rsquo;s session, effectively authenticating the attacker as the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker continuously polls the OpenBao API for the issued token.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the token and gains unauthorized access to secrets and resources managed by OpenBao, impersonating the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to impersonate a legitimate user within OpenBao. This can lead to unauthorized access to sensitive data, including secrets, credentials, and other protected resources. The impact is critical as it allows complete bypass of intended authentication mechanisms, potentially affecting all users and systems managed by the vulnerable OpenBao instance. This can lead to data breaches, service disruption, and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenBao to version 2.5.2 or later to apply the patch that introduces a confirmation screen for \u003ccode\u003edirect\u003c/code\u003e type logins.\u003c/li\u003e\n\u003cli\u003eAs a workaround, remove any OpenBao roles configured with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce confirmation for every session on the token issuer side for the Client ID used by OpenBao, mitigating the risk even if roles with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e exist.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of requests to the OpenBao OIDC callback endpoint after authentication, using the \u0026ldquo;Detect OpenBao Direct Callback Abuse\u0026rdquo; Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect OpenBao Direct Callback Configuration\u0026rdquo; Sigma rule to identify roles configured with the vulnerable \u003ccode\u003ecallback_mode=direct\u003c/code\u003e setting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:33:37Z","date_published":"2026-03-26T18:33:37Z","id":"/briefs/2026-04-17-openbao-oidc-bypass/","summary":"OpenBao versions before 2.5.2 lack user confirmation for OIDC direct callback mode, allowing attackers to perform remote phishing and bypass authentication.","title":"OpenBao OIDC Direct Callback Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-17-openbao-oidc-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Oidc","version":"https://jsonfeed.org/version/1.1"}