Skip to main content

Openbao CVE-2026-39396

| EUVDEUVD-2026-24031 LOW
Uncontrolled Resource Consumption (CWE-400)
2026-04-21 GitHub_M GHSA-r65v-xgwc-g56j
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
May 01, 2026 - 16:36 nvd
Patch available
Patch available
Apr 21, 2026 - 02:01 EUVD
Analysis Generated
Apr 21, 2026 - 01:24 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 01:15 euvd
EUVD-2026-24031
Analysis Generated
Apr 21, 2026 - 01:15 vuln.today
CVE Published
Apr 21, 2026 - 00:44 nvd
LOW 3.1

DescriptionGitHub Advisory

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, ExtractPluginFromImage() in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file. The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace legit plugin image with no need to change its signature. Version 2.5.3 contains a patch.

AnalysisAI

Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim disk resources by serving a crafted container image. The vulnerability exists in ExtractPluginFromImage() which writes decompressed tar streams without size bounds, and validates SHA256 integrity only after the full file is written to disk. An attacker controlling or compromising the OCI registry can replace legitimate plugin images with malicious compressed payloads that decompress to arbitrarily large files, causing denial of service. OpenBao versions prior to 2.5.3 are affected; the CVSS score of 3.1 reflects low impact (availability only) but the attack requires the victim to manually trigger plugin extraction with a compromised registry configured.

Technical ContextAI

OpenBao's plugin distribution mechanism downloads container images from OCI registries and extracts embedded plugin binaries using the ExtractPluginFromImage() function. The root cause (CWE-400: Uncontrolled Resource Consumption) stems from the use of io.Copy() without size limits when decompressing tar-formatted image layers. Unlike secure implementations that validate decompressed size before writing or enforce maximum read bounds, OpenBao's code streams all decompressed data directly to disk. The SHA256 integrity check, intended as a trust boundary, executes after file write completion rather than during the stream, making it ineffective as a denial-of-service mitigation. The vulnerability specifically affects the plugin bootstrap flow where users reference external OCI registries (such as Docker Hub, private registries, or compromised public registries) in their OpenBao configuration.

RemediationAI

Upgrade to OpenBao version 2.5.3 or later, which implements size-bounded decompression in ExtractPluginFromImage() and validates SHA256 prior to or during extraction. The patched version adds maximum file size limits to the decompression stream, preventing arbitrarily large files from being written. If immediate upgrade is not possible, restrict access to OCI registries by implementing network-level controls: configure firewall rules to permit OpenBao to connect only to trusted, internal registries or use registry mirrors you control and audit regularly. Alternatively, disable OCI plugin loading entirely (if not required) via OpenBao's plugin configuration, falling back to pre-downloaded or locally-staged plugins. Be aware that disabling OCI plugins may impact plugin update workflows and require manual plugin management. Validate all configured registry endpoints in OpenBao configuration files and confirm they are under your organizational control or belong to verified, non-compromised sources. See GHSA-r65v-xgwc-g56j for patched release links.

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2025-54997 CRITICAL
9.1 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2025-52894 HIGH
7.5 Jun 25

OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery

CVE-2025-64761 HIGH
7.5 Nov 25

OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-8185 HIGH
7.5 Oct 31

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a den

CVE-2024-9180 HIGH
7.2 Oct 10

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or

CVE-2025-54998 MEDIUM
5.3 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2025-4166 MEDIUM
4.5 May 02

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in

CVE-2025-52893 MEDIUM
4.5 Jun 25

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2026-40264 LOW
2.0 Apr 21

OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tok

CVE-2025-55003 MEDIUM
5.7 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

Share

CVE-2026-39396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy