Open Source Identity-Based Secrets Management System Vulnerability in OpenBao
CVE-2026-39946

4.6MEDIUM

Key Information:

Vendor

Openbao

Status
Openbao
Vendor
CVE Published:
21 April 2026

What is CVE-2026-39946?

OpenBao, an open-source identity-based secrets management system, contained a vulnerability that impacted its handling of role privilege revocation in the PostgreSQL database engine. When privileges were revoked on roles, OpenBao did not apply proper database quoting on schema names. This oversight could not only result in failures when attempting to revoke roles but also introduces potential SQL injection risks for the management user. The flaw originated from a similar issue in HashiCorp Vault. Users are advised to update to version 2.5.3 or later, and as a precaution, it is recommended to audit database table schemas and restrict privileges for users on schema creation.

Affected Version(s)

openbao < 2.5.3

References

https://github.com/openbao/openbao/security/advisories/GH...
x_refsource_CONFIRM

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.