Skip to main content

Hashicorp CVE-2026-39388

| EUVDEUVD-2026-24029 LOW
Improper Certificate Validation (CWE-295)
2026-04-21 GitHub_M GHSA-7ccv-rp6m-rffr
2.0
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 13:27 nvd
Patch available
Patch available
Apr 21, 2026 - 02:01 EUVD
Analysis Generated
Apr 21, 2026 - 01:24 vuln.today
CVSS changed
Apr 21, 2026 - 01:22 NVD
2.0 (LOW)
EUVD ID Assigned
Apr 21, 2026 - 01:15 euvd
EUVD-2026-24029
Analysis Generated
Apr 21, 2026 - 01:15 vuln.today
CVE Published
Apr 21, 2026 - 00:43 nvd
LOW 2.0

DescriptionGitHub Advisory

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disable_binding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Token renewals for other authentication methods do not require any supplied login information. Due to incorrect matching, the certificate authentication method would allow renewal of tokens for which the attacker had a sibling certificate+key signed by the same CA, but which did not necessarily match the original role or the originally supplied certificate. This implies an attacker could still authenticate to OpenBao in a similar scope, however, token renewal implies that an attacker may be able to extend the lifetime of dynamic leases held by the original token. This attack requires knowledge of either the original token or its accessor. This vulnerability is original from HashiCorp Vault. This is addressed in v2.5.3. As a workaround, ensure privileged roles are tightly scoped to single certificates.

AnalysisAI

OpenBao's Certificate authentication method with disable_binding=true allows token renewal using any sibling certificate signed by the same CA, rather than requiring the original certificate, enabling attackers with knowledge of a token or accessor to extend dynamic lease lifetimes beyond intended scope. The vulnerability affects OpenBao versions prior to 2.5.3 and requires high privileges and user interaction, resulting in a CVSS 2.0 score with low confidentiality and integrity impact. No public exploit code or active exploitation has been identified.

Technical ContextAI

OpenBao is a secrets management system that implements certificate-based authentication via mTLS. The Certificate authentication method is designed to bind tokens to specific client certificates when disable_binding=true, verifying that token renewal requests present the same certificate as the original authentication. The vulnerability stems from a flawed certificate matching algorithm (CWE-295: Improper Certificate Validation) in the renewal process that accepts any certificate within the same CA chain rather than enforcing exact certificate matching. This contrasts with other authentication methods in OpenBao that do not require supplying login information during token renewal. The affected component uses mTLS for client authentication but fails to properly validate certificate identity during renewal operations.

RemediationAI

Upgrade OpenBao to version 2.5.3 or later, which contains the corrected certificate validation logic for token renewals. If immediate patching is not feasible, ensure that Certificate authentication method roles are configured with narrow certificate scoping (as per the vendor workaround), binding each role to specific certificate subjects or certificate fingerprints rather than broad CA-level trust. This limits the scope of tokens an attacker with a sibling certificate could extend. Additionally, monitor token renewal requests for anomalous certificate switching or renewals from certificates not originally used to authenticate, which would indicate exploitation attempts. Disable the Certificate authentication method entirely if not in active use. Note that the workaround does not eliminate the vulnerability but reduces the practical scope of leaked tokens.

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Share

CVE-2026-39388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy