CVE-2026-33758
MEDIUMOpenBao has Reflected XSS in its OIDC authentication error message
Title source: cnaDescription
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.
Scores
CVSS v3
6.1
EPSS
0.0005
EPSS Percentile
16.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-116
CWE-20
CWE-79
Status
published
Products (2)
openbao/openbao
< 2.5.2 (2 CPE variants)
openbao/openbao
0 - 0.0.0-20260325133417-6e2b2dd84f0eGo
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026