CVE-2026-33758
MEDIUMOpenBao has Reflected XSS in its OIDC authentication error message
Title source: cnaDescription
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59
X_Refsource_Misc x_refsource_misc
https://github.com/openbao/openbao/pull/2709
X_Refsource_Misc x_refsource_misc
https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662
X_Refsource_Misc x_refsource_misc
https://github.com/openbao/openbao/releases/tag/v2.5.2
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
17.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-116
CWE-20
CWE-79
Status
published
Products (2)
openbao/openbao
< 2.5.2 (2 CPE variants)
openbao/openbao
0 - 0.0.0-20260325133417-6e2b2dd84f0eGo
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026