Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/openbao/openbao).
CVSS VectorVendor: https://github.com/openbao/openbao
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callback_mode=direct configured are vulnerable to XSS via the error_description parameter on the page for a failed authentication.
This allows an attacker access to the token used in the Web UI by a victim.
Patches
The error_description parameter has been replaced with a static error message in v2.5.2
Workarounds
The vulnerability can be mitigated by removing any roles with callback_mode set to direct.
AnalysisAI
Cross-site scripting in OpenBao's OIDC/JWT authentication method allows theft of Web UI session tokens when roles are configured with callback_mode=direct. Attackers exploit the unsanitized error_description parameter on failed authentication pages to inject malicious scripts that execute in victims' browsers, granting access to authentication tokens. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | OpenBao with OIDC/JWT authentication method enabled and at least one role configured with `callback_mode=direct`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Authentication requirements not confirmed from available data (CVSS vector not provided). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious URL to the OpenBao Web UI's OIDC authentication callback endpoint, injecting JavaScript into the error_description parameter. The attacker distributes this link via phishing email or social engineering, targeting authenticated OpenBao users. … |
| Remediation | Upgrade OpenBao to version 2.5.2 or later, which replaces the vulnerable error_description parameter with a static error message (see release notes at https://github.com/openbao/openbao/releases/tag/v2.5.2 and fix commit at https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenBao deployments and identify instances running versions prior to v2.5.2 with OIDC/JWT authentication enabled and callback_mode=direct configured. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-80 – Basic XSS
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today