logo

Database

Sensitive information stored in logs In github.com/openbao/openbao

Description

OpenBao's Inline Auth Incorrectly Redacted Headers

Impact

OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.

Patches

This is fixed in OpenBao v2.5.4.

Resources

https://github.com/openbao/openbao/issues/3074

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-463582. NVD-2026-463583. OSV-2026-463584. GHSA-q8cj-789h-vg245. GCVE-2026-46358

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg242. https://github.com/openbao/openbao/issues/30743. https://github.com/openbao/openbao/pull/30764. https://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df5. https://github.com/openbao/openbao/releases/tag/v2.5.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.