Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disable_binding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Token renewals for other authentication methods do not require any supplied login information. Due to incorrect matching, the certificate authentication method would allow renewal of tokens for which the attacker had a sibling certificate+key signed by the same CA, but which did not necessarily match the original role or the originally supplied certificate. This implies an attacker could still authenticate to OpenBao in a similar scope, however, token renewal implies that an attacker may be able to extend the lifetime of dynamic leases held by the original token. This attack requires knowledge of either the original token or its accessor. This vulnerability is original from HashiCorp Vault. This is addressed in v2.5.3. As a workaround, ensure privileged roles are tightly scoped to single certificates.
AnalysisAI
OpenBao's Certificate authentication method with disable_binding=true allows token renewal using any sibling certificate signed by the same CA, rather than requiring the original certificate, enabling attackers with knowledge of a token or accessor to extend dynamic lease lifetimes beyond intended scope. The vulnerability affects OpenBao versions prior to 2.5.3 and requires high privileges and user interaction, resulting in a CVSS 2.0 score with low confidentiality and integrity impact. No public exploit code or active exploitation has been identified.
Technical ContextAI
OpenBao is a secrets management system that implements certificate-based authentication via mTLS. The Certificate authentication method is designed to bind tokens to specific client certificates when disable_binding=true, verifying that token renewal requests present the same certificate as the original authentication. The vulnerability stems from a flawed certificate matching algorithm (CWE-295: Improper Certificate Validation) in the renewal process that accepts any certificate within the same CA chain rather than enforcing exact certificate matching. This contrasts with other authentication methods in OpenBao that do not require supplying login information during token renewal. The affected component uses mTLS for client authentication but fails to properly validate certificate identity during renewal operations.
RemediationAI
Upgrade OpenBao to version 2.5.3 or later, which contains the corrected certificate validation logic for token renewals. If immediate patching is not feasible, ensure that Certificate authentication method roles are configured with narrow certificate scoping (as per the vendor workaround), binding each role to specific certificate subjects or certificate fingerprints rather than broad CA-level trust. This limits the scope of tokens an attacker with a sibling certificate could extend. Additionally, monitor token renewal requests for anomalous certificate switching or renewals from certificates not originally used to authenticate, which would indicate exploitation attempts. Disable the Certificate authentication method entirely if not in active use. Note that the workaround does not eliminate the vulnerability but reduces the practical scope of leaked tokens.
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault
PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev
Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24029
GHSA-7ccv-rp6m-rffr