What is the CVSS score of EUVD-2026-16624?

EUVD-2026-16624 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Session Fixation are affected by EUVD-2026-16624?

OpenBao installations using JWT/OIDC authentication with direct callback mode are vulnerable to session hijacking attacks where attackers can trick users into authenticating into attacker-controlled…. A patch is available.

Session Fixation EUVD-2026-16624

| CVE-2026-33757 CRITICAL

Session Fixation (CWE-384)

2026-03-26 https://github.com/openbao/openbao

Information Disclosure Red Hat Session Fixation Suse

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 18:45 euvd

EUVD-2026-16624

Analysis Generated

Mar 26, 2026 - 18:45 vuln.today

Patch released

Mar 26, 2026 - 18:45 nvd

Patch available

CVE Published

Mar 26, 2026 - 18:32 nvd

CRITICAL 9.6

DescriptionNVD

Impact

OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct.

This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued.

Patches

Version 2.5.2 includes an additional confirmation screen for direct type logins that requires manual user interaction in order to finish the authentication.

Workarounds

This issue can be worked around either by removing any roles with callback_mode=direct or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

AnalysisAI

OpenBao JWT/OIDC authentication with direct callback mode allows remote phishing attacks where attackers can hijack user sessions without confirmation prompts, affecting installations using the direct callback_mode configuration. The vulnerability stems from lack of user interaction requirements during authorization code flow authentication, enabling session fixation attacks where victims visiting attacker-controlled URLs automatically authenticate into the attacker's session. …

RemediationAI

Within 24 hours: Identify all OpenBao deployments using JWT/OIDC direct callback_mode configuration by reviewing authentication settings and documenting affected instances. Within 7 days: Apply vendor patch to upgrade all affected OpenBao instances to version 2.5.2 or later, prioritizing production environments and those with administrative user populations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory