Fluid Attacks Database

Description

OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact

When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user.

This vulnerability was originally from HashiCorp Vault.

Patches

This was addressed in v2.5.3.

Workarounds

Audit table schemas and ensure database users cannot create new schemas and grant privileges on them.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/openbao/openbao	>=0 <0.0.0-20260420155735-b596b0882620	0.0.0-20260420155735-b596b0882620

Aliases

1. CVE-2026-399462. NVD-2026-399463. OSV-2026-399464. GHSA-6vgr-cp5c-ffx35. GCVE-2026-39946

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx32. https://github.com/openbao/openbao/pull/29313. https://github.com/openbao/openbao/commit/80693a46ebb4fc2455f1c51ed1dd853b28c2fd774. https://github.com/openbao/openbao/releases/tag/v2.5.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.