CVE-2026-33757

March 27, 2026, 3:16 p.m.

9.6
Critical

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

Product(s) Impacted

Vendor Product Versions
Openbao
  • Openbao
  • <2.5.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-384
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a openbao openbao <2.5.2 / / / / / / /

References

https://datatracker.ietf.org/doc/html/rfc8628#section-5.4
https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964
https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3

Tags

[email protected]
CWE-384
2026-03-27
CVE-2026-33757

CVSS Score

9.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

    View Vector String

Timeline

Published: March 27, 2026, 3:16 p.m.
Last Modified: March 27, 2026, 3:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.