CVE-2026-33758

EPSS 0.05%
Veröffentlicht 27.03.2026 14:12:33
Zuletzt bearbeitet 30.03.2026 17:21:54
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenBao has Reflected XSS in its OIDC authentication error message

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the  `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openbao ≫ Openbao Version < 2.5.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.167

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	9.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59

Vendor Advisory

https://github.com/openbao/openbao/pull/2709

Patch

Issue Tracking

https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662

Patch

https://github.com/openbao/openbao/releases/tag/v2.5.2

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33758

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33758