CVE-2026-42186
HIGHOpenBao's Namespace Deletion May Not Delete Data Properly
Title source: cnaDescription
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. This vulnerability is fixed in 2.5.3.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openbao/openbao/security/advisories/GHSA-vv66-6rp4-wr4f
X_Refsource_Misc x_refsource_misc
https://github.com/openbao/openbao/commit/6d2e0506e2b41be0eaa6643bf7b4efc9a2c09445
X_Refsource_Misc x_refsource_misc
https://github.com/openbao/openbao/releases/tag/v2.5.3
Scores
CVSS v3
7.5
EPSS
0.0025
EPSS Percentile
15.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-212
Status
published
Products (2)
openbao/openbao
< 2.5.3 (2 CPE variants)
openbao/openbao
0 - 0.0.0-20260420173541-6d2e0506e2b4Go
Published
May 14, 2026
Tracked Since
May 14, 2026