CVE-2026-33757

Published: Mar 27, 2026

Modified: Apr 1, 2026

PUBLISHED

CVSS v3.1

9.6

CRITICAL

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

Vendor	Product	Versions
openbao	openbao	affected `< 2.5.2`

Weaknesses (CWE)

CWE-384

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3

x_refsource_CONFIRM

https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964

x_refsource_MISC

https://datatracker.ietf.org/doc/html/rfc8628#section-5.4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33757

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References