Skip to main content

Openbao EUVDEUVD-2026-24037

| CVE-2026-40264 LOW
Improper Restriction of Security Token Assignment (CWE-1259)
2026-04-21 GitHub_M GHSA-p49j-v9wc-wg57
2.0
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 13:29 nvd
Patch available
Patch available
Apr 21, 2026 - 02:01 EUVD
Analysis Generated
Apr 21, 2026 - 01:24 vuln.today
CVSS changed
Apr 21, 2026 - 01:22 NVD
2.0 (LOW)
EUVD ID Assigned
Apr 21, 2026 - 01:15 euvd
EUVD-2026-24037
Analysis Generated
Apr 21, 2026 - 01:15 vuln.today
CVE Published
Apr 21, 2026 - 00:47 nvd
LOW 2.0

DescriptionGitHub Advisory

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.

AnalysisAI

OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tokens belonging to users in other tenants if the token accessor is disclosed, bypassing the multi-tenant isolation guarantee. The vulnerability requires high privilege level and user interaction but undermines the core security boundary of OpenBao's namespace-based multi-tenancy model. No active exploitation has been reported.

Technical ContextAI

OpenBao is an identity and secrets management system that enforces multi-tenant isolation through namespace partitioning. Token accessors are identifiers used to reference tokens within the system; they differ from token values themselves but can be used to perform administrative operations like token revocation or renewal. CWE-1259 (Improper Restriction of Rendered UI Layers or Frames) indicates a control flow or authorization bypass issue where one tenant's isolation boundary can be crossed by leveraging leaked metadata (the token accessor) combined with high administrative privileges. The vulnerability exists in the token management logic where accessor-based operations fail to properly validate that the requesting administrator's tenant context matches the token's tenant context before permitting the operation.

RemediationAI

Upgrade OpenBao to version 2.5.3 or later. This is the primary fix and fully resolves the cross-tenant token operation vulnerability. Organizations unable to upgrade immediately should implement compensating controls: (1) Restrict administrative token operations (revocation, renewal) to only same-tenant contexts by implementing custom authorization policies if OpenBao's policy engine supports tenant-aware conditions - this requires careful policy engineering and should be validated with vendor support; (2) Implement strict access controls on high-privilege administrator accounts across tenants, using role-based access control to limit which administrators can perform token operations and in which tenants; (3) Monitor and audit all token revocation and renewal events, particularly cross-tenant operations, to detect abuse. These workarounds are complex and may not fully prevent the vulnerability, so patching is strongly recommended. The vendor advisory at https://github.com/openbao/openbao/security/advisories/GHSA-p49j-v9wc-wg57 should be reviewed for additional context.

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2025-54997 CRITICAL
9.1 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2025-52894 HIGH
7.5 Jun 25

OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery

CVE-2025-64761 HIGH
7.5 Nov 25

OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-8185 HIGH
7.5 Oct 31

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a den

CVE-2024-9180 HIGH
7.2 Oct 10

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or

CVE-2025-54998 MEDIUM
5.3 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2025-4166 MEDIUM
4.5 May 02

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in

CVE-2025-52893 MEDIUM
4.5 Jun 25

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2026-39396 LOW
3.1 Apr 21

Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim dis

CVE-2025-55003 MEDIUM
5.7 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

Share

EUVD-2026-24037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy