Identity Management Vulnerability in OpenBao by OpenBao
CVE-2026-40264

2LOW

Key Information:

Vendor: Openbao
Status: Openbao
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40264?

OpenBao, an open-source identity-based secrets management system, faced a vulnerability where a tenant could inadvertently expose token accessors. This exposure allows a privileged administrator in a different tenant to revoke or renew the compromised tokens, potentially leading to unauthorized access. This issue, affecting all versions prior to 2.5.3, underscores the importance of strong separation between tenants in multi-tenant environments. The vulnerability has been addressed in version 2.5.3, enhancing the security of the namespace separation.

Affected Version(s)

openbao < 2.5.3

References

https://github.com/openbao/openbao/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40264 Data

JSON

Openbao

What is CVE-2026-40264?

Affected Version(s)

References

CVSS V4

Timeline