Skip to main content

OpenBao CVE-2026-33757

| EUVDEUVD-2026-16624 HIGH
Session Fixation (CWE-384)
2026-03-26 https://github.com/openbao/openbao
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
vuln.today AI
8.1 HIGH

Unauthenticated network attacker (PR:N/AV:N) but requires victim login interaction (UI:R); takeover of victim's session yields C:H/I:H, while A:N reflects session theft rather than denial of service.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

12
Analysis Updated
Jun 30, 2026 - 04:45 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:45 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:45 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 04:44 vuln.today
Analysis Updated
Jun 30, 2026 - 04:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
CRITICAL HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
9.6 (CRITICAL) 8.3 (HIGH)
EUVD ID Assigned
Mar 26, 2026 - 18:45 euvd
EUVD-2026-16624
Analysis Generated
Mar 26, 2026 - 18:45 vuln.today
Patch released
Mar 26, 2026 - 18:45 nvd
Patch available
CVE Published
Mar 26, 2026 - 18:32 nvd
CRITICAL 9.6

DescriptionNVD

Impact

OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct.

This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued.

Patches

Version 2.5.2 includes an additional confirmation screen for direct type logins that requires manual user interaction in order to finish the authentication.

Workarounds

This issue can be worked around either by removing any roles with callback_mode=direct or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

AnalysisAI

Session fixation via remote phishing in OpenBao before 2.5.2 lets an unauthenticated attacker hijack a victim's identity when a JWT/OIDC auth role is configured with callback_mode=direct. Because direct mode skips any confirmation prompt and calls back straight to the API, an attacker initiates the auth flow, lures a victim into completing the login through a crafted URL, then polls the API to collect the OpenBao token that gets issued under the victim's identity. There is no public exploit identified at time of analysis, EPSS is low (0.06%, 19th percentile), and it is not in CISA KEV, though SSVC rates the technical impact as total.

Technical ContextAI

OpenBao is the open-source, community fork of HashiCorp Vault for secrets management; the affected component is the Go module github.com/openbao/openbao. The flaw lives in the JWT/OIDC auth method's handling of the OAuth2/OIDC authorization code flow. Normally OpenBao mirrors the RFC 8628 device-authorization style polling pattern, but with callback_mode=direct the provider calls back directly to OpenBao's API rather than requiring the user to confirm binding the resulting token to their own client. The root cause is CWE-384 (Session Fixation): the session/token that results from the victim's authentication is bound to an authentication request that was started by, and is being polled by, the attacker, so the attacker - not the victim - receives the issued token.

RemediationAI

Vendor-released patch: upgrade to OpenBao 2.5.2, which adds a mandatory confirmation screen for direct-type logins requiring manual user interaction to complete authentication (fix commit e32103951925723e9787e33886ab6b6ec20f4964; advisory https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3). If you cannot upgrade immediately, remove any JWT/OIDC roles that have callback_mode=direct (this forces the safer flow but breaks any integration that legitimately relied on direct callback polling), or alternatively enforce a confirmation/consent prompt for every session on the identity provider side for the Client ID used by OpenBao (this adds an interaction step for all logins through that client). Distribution users should apply the corresponding vendor packages - for example SUSE-SU-2026:1135 (https://www.suse.com/support/update/SUSE-SU-2026:1135/) or the Red Hat update tracked at https://access.redhat.com/security/cve/CVE-2026-33757.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy