OpenBao Identity-Based Secrets Management System Vulnerability
CVE-2026-42186

2.3LOW

Key Information:

Vendor

Openbao

Status
Openbao
Vendor
CVE Published:
14 May 2026

What is CVE-2026-42186?

OpenBao, an open-source identity-based secrets management system, has a vulnerability in its data deletion process prior to version 2.5.3. If the deletion of an initial namespace fails, subsequent retries may not successfully clear all associated data, potentially leaving orphaned storage entries and affecting outstanding leases. This could lead to unintended data retention and security concerns. The issue has been addressed in version 2.5.3.

Affected Version(s)

openbao < 2.5.3

References

https://github.com/openbao/openbao/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openbao/openbao/commit/6d2e0506e2b41be...
x_refsource_MISC
https://github.com/openbao/openbao/releases/tag/v2.5.3
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.