CVE Catalog

CVE-2026-33758

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

OpenBao versions prior to 2.5.2 with OIDC/JWT authentication enabled and a role configured with `callback_mode=direct` are vulnerable to XSS via the `error_description` parameter on the failed authentication page. An attacker can steal the token used in the Web UI by a victim.

Risk Assessment

The risk involves potential theft of an administrator's or user's session token, which could lead to unauthorized access to managed secrets and system configuration.

Recommendation

Upgrade OpenBao to version 2.5.2 or later immediately. If upgrade is not possible, remove all roles with `callback_mode` set to `direct`.

Original NVD description (English source)

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS