CVE Daily
← All tags

Tag: OpenBao

All CVEs associated with "OpenBao". Page 1/1 • 21 CVEs.

About “OpenBao”

A curated feed of “OpenBao”-related CVEs appears below. We currently track 21 CVEs for this tag (all time). In the last 365 days, 21 were published. Average CVSS is 6.1 (all time; 6.1 over 365d), and 43% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-532 - Insertion of Sensitive Information into Log File, CWE-400 - Uncontrolled Resource Consumption, CWE-20 - Improper Input Validation.

In our taxonomy this topic maps to a HIGH impact class. Identity providers govern authentication across the estate. Upgrade, enforce phishing resistant MFA, review audit logs, rotate admin keys, and tighten policies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: openbao

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
2.52.5.4-
2.42.4.4 Expired
2.32.3.2 Expired
2.22.2.2 Expired
2.12.1.1 Expired
2.02.0.3 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “OpenBao”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-14
High

CVE-2026-42186

OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking…

CVSS: 7.5 CWE: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer View on NVD
2026-04-21
Low

CVE-2026-40264

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their tok…

CVSS: 2.7 CWE: CWE-1259 - Improper Restriction of Security Token Assignment View on NVD
Medium

CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use…

CVSS: 4.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Low

CVE-2026-39396

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container ima…

CVSS: 3.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Low

CVE-2026-39388

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and `disable_binding=true` i…

CVSS: 3.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2026-03-27
Medium

CVE-2026-33758

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=di…

CVSS: 6.1 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2026-33757

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode`…

CVSS: 9.6 CWE: CWE-384 - Session Fixation View on NVD
2025-11-25
High

CVE-2025-64761

OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group…

CVSS: 7.2 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-10-23
High

CVE-2025-59048

OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The v…

CVSS: 8.1 CWE: CWE-694 - Use of Multiple Resources with Duplicate Identifier View on NVD
2025-10-22
Medium

CVE-2025-62705

OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response param…

CVSS: 4.9 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
High

CVE-2025-62513

OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not cor…

CVSS: 7.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2025-10-17
High

CVE-2025-59043

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2025-08-09
Medium

CVE-2025-55003

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Auth…

CVSS: 5.7 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2025-55001

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of…

CVSS: 6.5 CWE: CWE-156 - Improper Neutralization of Whitespace View on NVD
Medium

CVE-2025-55000

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine…

CVSS: 6.5 CWE: CWE-156 - Improper Neutralization of Whitespace View on NVD
Low

CVE-2025-54999

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass…

CVSS: 3.7 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2025-54998

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the au…

CVSS: 5.3 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Critical

CVE-2025-54997

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentio…

CVSS: 9.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-54996

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-pr…

CVSS: 7.2 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-06-25
High

CVE-2025-52894

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthent…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-52893

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs w…

CVSS: 4.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox