Platform
go
Component
github.com/openbao/openbao
Fixed in
2.5.3
0.0.0-20260325133417-6e2b2dd84f0e
CVE-2026-33758 describes a cross-site scripting (XSS) vulnerability affecting OpenBao installations using OIDC/JWT authentication with callback_mode=direct. This flaw allows an attacker to potentially access the token used in the Web UI by a victim, leading to unauthorized access. The vulnerability affects versions prior to the fix. It was patched in version v2.5.2 by replacing the vulnerable parameter with a static error message.
CVE-2026-33758 affects OpenBao installations utilizing OIDC/JWT authentication and roles configured with callbackmode=direct. The vulnerability lies in a Cross-Site Scripting (XSS) injection via the errordescription parameter on the failed authentication page. An attacker can leverage this to access the token used in the web UI by a victim, potentially compromising account security.
An attacker could manipulate the OIDC/JWT authentication response to inject malicious JavaScript into the error_description parameter. When a user attempts to log in and authentication fails, OpenBao displays the error page, executing the malicious code in the user's browser. This allows the attacker to steal the authentication token, potentially granting unauthorized access to the OpenBao web UI.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
The definitive fix is to upgrade to OpenBao version 2.5.2, where the errordescription parameter has been replaced with a static error message. As a temporary workaround, remove any roles configured with callbackmode=direct. This reduces the attack surface and prevents exploitation of this vulnerability. Prompt action is crucial to protect your OpenBao installation.
Update OpenBao to version 2.5.2 or higher. Alternatively, remove any roles with `callback_mode` configured as `direct`.
Vulnerability analysis and critical alerts directly to your inbox.
OIDC (OpenID Connect) and JWT (JSON Web Token) are authentication protocols used to verify user identity and grant access to applications and services.
The callback_mode=direct allows OpenBao to directly handle the authentication return, which in this case, opens the door to the XSS vulnerability.
If you cannot upgrade to OpenBao version 2.5.2 immediately, remove roles with callback_mode=direct as a temporary measure.
The OpenBao version can be found on the administration page or in the installation documentation.
Although the vulnerability was recently discovered, there is a risk it may have been exploited before the patch was released. Review audit logs for suspicious activity is recommended.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.