EUVD-2026-16624
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
4Description
### Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. ### Patches Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. ### Workarounds This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
Analysis
OpenBao JWT/OIDC authentication with direct callback mode allows remote phishing attacks where attackers can hijack user sessions without confirmation prompts, affecting installations using the direct callback_mode configuration. The vulnerability stems from lack of user interaction requirements during authorization code flow authentication, enabling session fixation attacks where victims visiting attacker-controlled URLs automatically authenticate into the attacker's session. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenBao deployments using JWT/OIDC direct callback_mode configuration by reviewing authentication settings and documenting affected instances. Within 7 days: Apply vendor patch to upgrade all affected OpenBao instances to version 2.5.2 or later, prioritizing production environments and those with administrative user populations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today