{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openbao/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openbao/openbao (Go)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","acl-bypass","secrets-management"],"_cs_type":"advisory","_cs_vendors":["GitHub","OpenBao"],"content_html":"\u003cp\u003eOpenBao, a secrets management solution, utilizes namespaces for multi-tenant isolation. A vulnerability exists in versions 2.5.3 and earlier where a user in one namespace can revoke or renew leases belonging to another namespace. This is achieved by exploiting the legacy, undocumented \u003ccode\u003esys/revoke\u003c/code\u003e and \u003ccode\u003esys/renew\u003c/code\u003e endpoints. An attacker with knowledge of a valid lease ID from a different namespace can leverage these endpoints to disrupt service or potentially gain unauthorized access to secrets. This vulnerability, identified as CVE-2026-45808, allows bypassing of intended ACL restrictions. The issue is resolved in OpenBao v2.5.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a valid lease ID from a target namespace, either through unintentional leakage or through malicious insider activity.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP request targeting the legacy \u003ccode\u003esys/revoke\u003c/code\u003e endpoint, including the stolen lease ID in the request body.\u003c/li\u003e\n\u003cli\u003eThe OpenBao server processes the request to the \u003ccode\u003esys/revoke\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the legacy nature of the endpoint, ACL checks are bypassed.\u003c/li\u003e\n\u003cli\u003eThe targeted lease is revoked, rendering any associated credentials invalid.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003esys/renew\u003c/code\u003e endpoint, the lease will be renewed with settings controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe affected application or service relying on the revoked lease experiences a denial of service or disruption.\u003c/li\u003e\n\u003cli\u003eDepending on the targeted secrets, an attacker might gain unauthorized access to the target application or service if they were able to successfully renew the lease.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45808 can lead to denial of service for applications relying on OpenBao-managed secrets. In multi-tenant environments, this can impact services in other namespaces, even without proper authorization. While there is no direct information disclosure, unauthorized lease revocation and renewal can interrupt legitimate operations. The severity is high because it impacts availability of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenBao to version 2.5.4 or later to patch CVE-2026-45808.\u003c/li\u003e\n\u003cli\u003eMonitor OpenBao logs for requests to the \u003ccode\u003e/sys/revoke\u003c/code\u003e endpoint, which may indicate unauthorized lease revocation attempts (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement strict lease ID handling procedures within your organization to prevent unintended leakage.\u003c/li\u003e\n\u003cli\u003eConsider disabling or restricting access to the \u003ccode\u003esys/revoke\u003c/code\u003e and \u003ccode\u003esys/renew\u003c/code\u003e endpoints through appropriate ACL policies as a temporary mitigation measure until the upgrade is complete.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:38:26Z","date_published":"2026-05-28T17:38:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-openbao-lease-revoke/","summary":"OpenBao versions up to 2.5.3 allow cross-namespace lease revocation by exploiting legacy sys/revoke endpoints, potentially leading to unauthorized credential access and denial of service.","title":"OpenBao Cross-Namespace Lease Revocation via Legacy sys/revoke Path","url":"https://feed.craftedsignal.io/briefs/2026-05-openbao-lease-revoke/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenBao","version":"https://jsonfeed.org/version/1.1"}