OpenBao Identity-Based Secrets Management System Vulnerability Affecting Certificate Authentication
CVE-2026-39388

2LOW

Key Information:

Vendor: Openbao
Status: Openbao
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-39388?

OpenBao, an open-source identity-based secrets management system, has a vulnerability in its Certificate authentication method that allows an attacker to improperly renew tokens. This occurs when a token renewal request is made with disable_binding=true, as the system incorrectly matches the presented mTLS certificate against the original. If an attacker possesses a sibling certificate and key signed by the same Certificate Authority (CA), they can extend the lifetime of dynamic leases associated with the original token. Although this vulnerability has been addressed in version 2.5.3, it is crucial for users to implement tightly scoped privileged roles to mitigate risks.

Affected Version(s)

openbao < 2.5.3

References

https://github.com/openbao/openbao/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39388 Data

JSON

Openbao

What is CVE-2026-39388?

Affected Version(s)

References

CVSS V4

Timeline