OpenBao CVE-2026-55774
LOWSeverity by source
Network API exploitation with low-privilege auth token (PR:L); scope changes because impact crosses namespace security boundaries (S:C); no credential confidentiality exposure, only revocation (C:N, I:L, A:L).
Lifecycle Timeline
2DescriptionCVE.org
Summary
OpenBao users with access to the sys/leases/revoke/:lease_id endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations.
Impact
OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant.
Patch
This will be fixed in OpenBao v2.5.5.
References
This vulnerability is similar to but distinct from:
- CVE-2026-45808 / GHSA-v8v8-cm84-m686
- CVE-2026-40264 / GHSA-p49j-v9wc-wg57
AnalysisAI
Cross-namespace lease revocation in OpenBao allows authenticated tenants in one namespace to revoke leases belonging to any other namespace, bypassing multi-tenant ACL boundaries. Affected are all OpenBao versions from 0.1.0 through 2.5.4 (Go module pkg:go/github.com/openbao/openbao). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated token in any OpenBao namespace - including low-privilege tokens - with access to the sys/leases/revoke path (or sys/leases/renew for the renewal variant). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS vector was published with this CVE, so all scoring is assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged tenant user in OpenBao namespace 'tenant-a' obtains a lease ID belonging to namespace 'tenant-b' - for example through a shared log file, a misconfigured audit backend, or a deliberately leaked identifier from a colluding insider. The attacker then calls the canonical REST API endpoint sys/leases/revoke/tenant-b-lease-id-with-embedded-nsid from within tenant-a. … |
| Remediation | Upgrade to OpenBao v2.5.5, which contains the fix from commit b20b999dd4044d7b419a5472d8fe08407828be37 and PR #3307 (https://github.com/openbao/openbao/pull/3307). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c36x-h252-g9x2