Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Unauthenticated network attacker (PR:N/AV:N) but requires victim login interaction (UI:R); takeover of victim's session yields C:H/I:H, while A:N reflects session theft rather than denial of service.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
12DescriptionNVD
Impact
OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct.
This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued.
Patches
Version 2.5.2 includes an additional confirmation screen for direct type logins that requires manual user interaction in order to finish the authentication.
Workarounds
This issue can be worked around either by removing any roles with callback_mode=direct or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
AnalysisAI
Session fixation via remote phishing in OpenBao before 2.5.2 lets an unauthenticated attacker hijack a victim's identity when a JWT/OIDC auth role is configured with callback_mode=direct. Because direct mode skips any confirmation prompt and calls back straight to the API, an attacker initiates the auth flow, lures a victim into completing the login through a crafted URL, then polls the API to collect the OpenBao token that gets issued under the victim's identity. There is no public exploit identified at time of analysis, EPSS is low (0.06%, 19th percentile), and it is not in CISA KEV, though SSVC rates the technical impact as total.
Technical ContextAI
OpenBao is the open-source, community fork of HashiCorp Vault for secrets management; the affected component is the Go module github.com/openbao/openbao. The flaw lives in the JWT/OIDC auth method's handling of the OAuth2/OIDC authorization code flow. Normally OpenBao mirrors the RFC 8628 device-authorization style polling pattern, but with callback_mode=direct the provider calls back directly to OpenBao's API rather than requiring the user to confirm binding the resulting token to their own client. The root cause is CWE-384 (Session Fixation): the session/token that results from the victim's authentication is bound to an authentication request that was started by, and is being polled by, the attacker, so the attacker - not the victim - receives the issued token.
RemediationAI
Vendor-released patch: upgrade to OpenBao 2.5.2, which adds a mandatory confirmation screen for direct-type logins requiring manual user interaction to complete authentication (fix commit e32103951925723e9787e33886ab6b6ec20f4964; advisory https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3). If you cannot upgrade immediately, remove any JWT/OIDC roles that have callback_mode=direct (this forces the safer flow but breaks any integration that legitimately relied on direct callback polling), or alternatively enforce a confirmation/consent prompt for every session on the identity provider side for the Client ID used by OpenBao (this adds an interaction step for all logins through that client). Distribution users should apply the corresponding vendor packages - for example SUSE-SU-2026:1135 (https://www.suse.com/support/update/SUSE-SU-2026:1135/) or the Red Hat update tracked at https://access.redhat.com/security/cve/CVE-2026-33757.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16624