Skip to main content

OpenBao CVE-2026-55774

LOW
Incorrect Authorization (CWE-863)
2026-06-19 https://github.com/openbao/openbao GHSA-c36x-h252-g9x2

Severity by source

vuln.today AI
6.4 MEDIUM

Network API exploitation with low-privilege auth token (PR:L); scope changes because impact crosses namespace security boundaries (S:C); no credential confidentiality exposure, only revocation (C:N, I:L, A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:46 vuln.today
Analysis Generated
Jun 19, 2026 - 23:46 vuln.today

DescriptionCVE.org

Summary

OpenBao users with access to the sys/leases/revoke/:lease_id endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations.

Impact

OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant.

Patch

This will be fixed in OpenBao v2.5.5.

References

This vulnerability is similar to but distinct from:

  • CVE-2026-45808 / GHSA-v8v8-cm84-m686
  • CVE-2026-40264 / GHSA-p49j-v9wc-wg57

AnalysisAI

Cross-namespace lease revocation in OpenBao allows authenticated tenants in one namespace to revoke leases belonging to any other namespace, bypassing multi-tenant ACL boundaries. Affected are all OpenBao versions from 0.1.0 through 2.5.4 (Go module pkg:go/github.com/openbao/openbao). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege token in any namespace
Delivery
Acquire foreign namespace lease identifier via leak or disclosure
Exploit
Call sys/leases/revoke/:lease_id with cross-namespace ID
Execution
Vulnerable code extracts embedded namespace, overrides request context
Persist
ACL check for victim namespace is bypassed
Impact
Victim namespace credentials and lease revoked

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated token in any OpenBao namespace - including low-privilege tokens - with access to the sys/leases/revoke path (or sys/leases/renew for the renewal variant). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS vector was published with this CVE, so all scoring is assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged tenant user in OpenBao namespace 'tenant-a' obtains a lease ID belonging to namespace 'tenant-b' - for example through a shared log file, a misconfigured audit backend, or a deliberately leaked identifier from a colluding insider. The attacker then calls the canonical REST API endpoint sys/leases/revoke/tenant-b-lease-id-with-embedded-nsid from within tenant-a. …
Remediation Upgrade to OpenBao v2.5.5, which contains the fix from commit b20b999dd4044d7b419a5472d8fe08407828be37 and PR #3307 (https://github.com/openbao/openbao/pull/3307). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy