logo

Database

Authentication mechanism absence or evasion In github.com/openbao/openbao

Description

OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

Impact

OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints.

Patch

This will be addressed in v2.5.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-458082. NVD-2026-458083. OSV-2026-458084. GHSA-v8v8-cm84-m6865. GCVE-2026-45808

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-v8v8-cm84-m6862. https://github.com/openbao/openbao/pull/31523. https://github.com/openbao/openbao/commit/c0495646b41cea0e3f5a1030132e9cf5c2375b5c4. https://github.com/openbao/openbao/releases/tag/v2.5.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.