Platform
go
Component
openbao
Fixed in
2.5.3
CVE-2026-33757 is a critical vulnerability affecting OpenBao identity-based secrets management systems prior to version 2.5.2. This flaw allows attackers to execute a remote phishing attack, enabling unauthorized access to OpenBao sessions without user interaction. The vulnerability stems from the absence of user confirmation when logging in via JWT/OIDC with a role configured for direct callback mode. A fix is available in version 2.5.2.
The primary impact of CVE-2026-33757 is the potential for unauthorized access to sensitive secrets managed by OpenBao. An attacker can initiate an authentication request and trick a legitimate user into visiting a malicious URL. Due to the direct callback mode, the attacker can then poll the API for an OpenBao token, effectively logging into the victim's session without requiring any credentials. This bypasses standard authentication controls and allows the attacker to access and potentially exfiltrate secrets stored within OpenBao. The blast radius extends to any application or service relying on OpenBao for secrets management, as compromised secrets could be used to gain access to other systems.
CVE-2026-33757 was publicly disclosed on 2026-03-27. Its severity is rated as CRITICAL (9.6) due to the ease of exploitation and the potential impact. There are currently no known public proof-of-concept exploits, but the vulnerability's straightforward nature suggests that one may emerge. It is not currently listed on the CISA KEV catalog. Active campaigns exploiting this vulnerability are not yet confirmed, but the potential for abuse warrants immediate attention.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33757 is to immediately upgrade OpenBao to version 2.5.2 or later. This version includes a user confirmation prompt during JWT/OIDC login, effectively preventing the remote phishing attack. If upgrading is not immediately feasible, consider temporarily disabling the callback_mode: direct configuration for roles where it is enabled. While this will impact the user experience, it will significantly reduce the attack surface. Monitor OpenBao logs for suspicious login attempts and implement Web Application Firewall (WAF) rules to detect and block malicious requests targeting the authentication endpoint. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual JWT/OIDC authentication patterns is recommended.
Update OpenBao to version 2.5.2 or higher. Alternatively, remove any roles with `callback_mode=direct` or enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33757 is a critical vulnerability in OpenBao versions prior to 2.5.2 that allows attackers to perform remote phishing attacks by bypassing user confirmation during JWT/OIDC login.
Yes, if you are using OpenBao versions 2.5.2 or earlier and have roles configured with callback_mode: direct, you are vulnerable to this remote phishing attack.
Upgrade OpenBao to version 2.5.2 or later. This version includes a user confirmation prompt that prevents the phishing attack. Temporarily disabling callback_mode: direct is a workaround.
While no active exploitation campaigns have been confirmed, the vulnerability's simplicity suggests it may be targeted in the future. Proactive mitigation is strongly recommended.
Refer to the OpenBao security advisories on their official website or GitHub repository for the latest information and updates regarding CVE-2026-33757.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.