Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openbao — Vulnerabilities & Security Advisories 20

Browse all 20 CVE security advisories affecting openbao. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Openbao serves as an open-source fork of HashiCorp Vault, primarily functioning as a secrets management and identity-based authorization platform for securing digital assets. Its core utility lies in centralizing access control for sensitive data, API keys, and certificates across complex infrastructure. Historically, vulnerability records indicate a prevalence of issues related to improper access control and potential privilege escalation, with some instances involving remote code execution vectors. These flaws often stem from complex configuration logic or input validation gaps within the API layer. While no catastrophic, widespread breaches have been publicly documented as direct results of these twenty CVEs, the presence of such vulnerabilities highlights the inherent risks in distributed secret management systems. The project maintains a focus on community-driven security audits to mitigate these risks, ensuring that the tool remains a viable alternative for organizations requiring transparent, auditable secrets management solutions without proprietary constraints.

Top products by openbao: openbao openbao-plugins
CVE IDTitleCVSSSeverityPublished
CVE-2026-40264 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation — openbaoCWE-1259 8.1AIHighAI2026-04-21
CVE-2026-39396 OpenBao has Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) — openbaoCWE-400 3.1 Low2026-04-21
CVE-2026-39388 OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate — openbaoCWE-295 7.5AIHighAI2026-04-21
CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine — openbaoCWE-89 8.8 -2026-04-21
CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message — openbaoCWE-20 6.1 -2026-03-27
CVE-2026-33757 OpenBao lacks user confirmation for OIDC direct callback mode — openbaoCWE-384 9.6 Critical2026-03-27
CVE-2025-64761 OpenBao Privileged Operator Identity Group Root Escalation — openbaoCWE-266 7.2AIHighAI2025-11-25
CVE-2025-59048 OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method — openbao-pluginsCWE-863 8.1 High2025-10-23
CVE-2025-62705 OpenBao and Vault Leak []byte Fields in Audit Logs — openbaoCWE-532 7.5AIHighAI2025-10-22
CVE-2025-62513 OpenBao leaks HTTPRawBody in Audit Logs — openbaoCWE-532 7.5AIHighAI2025-10-22
CVE-2025-59043 OpenBao vulnerable to denial of service via malicious JSON request processing — openbaoCWE-400 7.5 High2025-10-17
CVE-2025-55003 OpenBao Login MFA Bypasses Rate Limiting and TOTP Token Reuse — openbaoCWE-307 5.7 Medium2025-08-09
CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias — openbaoCWE-156 6.5 Medium2025-08-09
CVE-2025-55000 OpenBao TOTP Secrets Engine Enables Code Reuse — openbaoCWE-156 6.5 Medium2025-08-09
CVE-2025-54999 OpenBao: Timing Side-Channel in Userpass Auth Method — openbaoCWE-203 3.7 Low2025-08-09
CVE-2025-54998 OpenBao Userpass and LDAP User Lockout Bypass — openbaoCWE-307 5.3 Medium2025-08-09
CVE-2025-54997 OpenBao: Privileged Operator May Execute Code on the Underlying Host — openbaoCWE-94 9.1 Critical2025-08-09
CVE-2025-54996 OpenBao Root Namespace Operator May Elevate Token Privileges — openbaoCWE-269 7.2 High2025-08-09
CVE-2025-52894 OpenBao Vulnerable to Unauthenticated Rekey Operation Cancellation — openbaoCWE-20 7.5AIHighAI2025-06-25
CVE-2025-52893 OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data — openbaoCWE-532 4.5 Medium2025-06-25

This page lists every published CVE security advisory associated with openbao. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.