OpenBao Identity-Based Secrets Management System Vulnerability
CVE-2026-33757

9.6CRITICAL

Key Information:

Vendor

Openbao

Status
Openbao
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33757?

The OpenBao identity management system has a vulnerability that allows attackers to initiate authentication requests without user confirmation when utilizing JWT/OIDC with a 'callback_mode' setting of 'direct'. This flaw enables attackers to craft URLs that, when visited by victims, can log them into the attacker's session without their consent. The vulnerability arises from the design of the 'direct' mode, which returns the token directly to the API without additional user verification steps. To mitigate this risk, it is advised that users upgrade to version 2.5.2, which introduces a necessary confirmation screen for 'direct' logins, or reconfigure their roles by eliminating 'callback_mode=direct'.

Affected Version(s)

openbao < 2.5.2

References

https://github.com/openbao/openbao/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openbao/openbao/commit/e32103951925723...
x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc8628#section-5.4
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.