Fluid Attacks Database

Description

OpenBao's Namespace Deletion May Not Delete Data Properly

Impact

When OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around.

Patches

This will be patched in OpenBao v2.5.3.

Workarounds

Users may manually remove mounts prior to deleting the namespace.

Audit logs may be used to identify repeated deletion attempts against the same namespace; sys/raw can be used to see what leases were not correctly deleted.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/openbao/openbao	>=0 <0.0.0-20260420173541-6d2e0506e2b4	0.0.0-20260420173541-6d2e0506e2b4

Aliases

1. CVE-2026-421862. NVD-2026-421863. OSV-2026-421864. GHSA-vv66-6rp4-wr4f5. GCVE-2026-42186

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-vv66-6rp4-wr4f2. https://github.com/openbao/openbao/commit/6d2e0506e2b41be0eaa6643bf7b4efc9a2c094453. https://github.com/openbao/openbao/releases/tag/v2.5.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.