Plattform
go
Komponente
github.com/openbao/openbao
Behoben in
2.5.3
0.0.0-20260325133417-6e2b2dd84f0e
CVE-2026-33758 describes a cross-site scripting (XSS) vulnerability affecting OpenBao installations using OIDC/JWT authentication with callback_mode=direct. This flaw allows an attacker to potentially access the token used in the Web UI by a victim, leading to unauthorized access. The vulnerability affects versions prior to the fix. It was patched in version v2.5.2 by replacing the vulnerable parameter with a static error message.
The primary impact of CVE-2026-33758 is the potential for an attacker to steal authentication tokens used within the OpenBao Web UI. By injecting malicious JavaScript via the error_description parameter during a failed authentication attempt, an attacker can execute arbitrary code in the context of a legitimate user. This stolen token can then be used to impersonate the user, granting the attacker access to sensitive data and functionality within OpenBao. The blast radius extends to any user whose session token is compromised, potentially enabling widespread data breaches and system manipulation.
This vulnerability was publicly disclosed on March 26, 2026. There is currently no indication of active exploitation campaigns targeting CVE-2026-33758. The vulnerability's criticality stems from the potential for token theft and subsequent unauthorized access, but the lack of public proof-of-concept exploits limits the immediate risk. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
The most effective mitigation for CVE-2026-33758 is to upgrade OpenBao to version 2.5.2 or later, which replaces the vulnerable errordescription parameter with a static error message. If upgrading immediately is not possible, a temporary workaround involves removing any roles configured with callbackmode set to direct. This prevents the vulnerable authentication flow from being triggered. After upgrading, verify the fix by attempting a failed authentication with a crafted error_description parameter; the response should not contain any injected script.
Aktualisieren Sie OpenBao auf Version 2.5.2 oder höher. Alternativ entfernen Sie alle Rollen mit `callback_mode`, die auf `direct` konfiguriert sind.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
OIDC (OpenID Connect) and JWT (JSON Web Token) are authentication protocols used to verify user identity and grant access to applications and services.
The callback_mode=direct allows OpenBao to directly handle the authentication return, which in this case, opens the door to the XSS vulnerability.
If you cannot upgrade to OpenBao version 2.5.2 immediately, remove roles with callback_mode=direct as a temporary measure.
The OpenBao version can be found on the administration page or in the installation documentation.
Although the vulnerability was recently discovered, there is a risk it may have been exploited before the patch was released. Review audit logs for suspicious activity is recommended.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.