CVE-2026-33758

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33758

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33758.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33758

Aliases

Downstream

SUSE-SU-2026:1135-1

openSUSE-SU-2026:10438-1

Related

Published

2026-03-27T14:12:33.941Z

Modified

2026-04-10T05:42:55.595399Z

Severity

9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

OpenBao has Reflected XSS in its OIDC authentication error message

Details

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callback_mode=direct configured are vulnerable to XSS via the error_description parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The error_description parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with callback_mode set to direct.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33758.json",
    "cwe_ids": [
        "CWE-116",
        "CWE-20",
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/openbao/openbao

Affected ranges

Type

GIT

Repo

https://github.com/openbao/openbao

Events

Introduced

Fixed

932fcf892eba8d646a9bfc58a59ea3b2475b17fa

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.2"
        }
    ]
}

Affected versions

api/auth/approle/v0.*

api/auth/approle/v0.1.0

api/auth/approle/v0.1.1

api/auth/approle/v0.2.0

api/auth/approle/v0.3.0

api/auth/approle/v0.4.0

api/auth/approle/v0.4.1

api/auth/approle/v1.*

api/auth/approle/v1.1.0-development20240408

api/auth/approle/v2.*

api/auth/approle/v2.0.1

api/auth/approle/v2.2.0

api/auth/approle/v2.3.0

api/auth/approle/v2.4.0

api/auth/approle/v2.5.0

api/auth/approle/v2.5.1

api/auth/aws/v0.*

api/auth/aws/v0.1.0

api/auth/aws/v0.2.0

api/auth/aws/v0.3.0

api/auth/aws/v0.4.0

api/auth/aws/v0.4.1

api/auth/aws/v1.*

api/auth/aws/v1.1.0-development20240408

api/auth/azure/v0.*

api/auth/azure/v0.1.0

api/auth/azure/v0.2.0

api/auth/azure/v0.3.0

api/auth/azure/v0.4.0

api/auth/azure/v0.4.1

api/auth/azure/v1.*

api/auth/azure/v1.1.0-development20240408

api/auth/gcp/v0.*

api/auth/gcp/v0.1.0

api/auth/gcp/v0.2.0

api/auth/gcp/v0.3.0

api/auth/gcp/v0.4.0

api/auth/gcp/v0.4.1

api/auth/gcp/v1.*

api/auth/gcp/v1.1.0-development20240408

api/auth/jwt/v2.*

api/auth/jwt/v2.4.0

api/auth/jwt/v2.5.0

api/auth/jwt/v2.5.1

api/auth/kubernetes/v1.*

api/auth/kubernetes/v1.1.0-development20240408

api/auth/kubernetes/v2.*

api/auth/kubernetes/v2.0.1

api/auth/kubernetes/v2.2.0

api/auth/kubernetes/v2.3.0

api/auth/kubernetes/v2.4.0

api/auth/kubernetes/v2.5.0

api/auth/kubernetes/v2.5.1

api/auth/ldap/v1.*

api/auth/ldap/v1.1.0-development20240408

api/auth/ldap/v2.*

api/auth/ldap/v2.0.1

api/auth/ldap/v2.2.0

api/auth/ldap/v2.3.0

api/auth/ldap/v2.4.0

api/auth/ldap/v2.5.0

api/auth/ldap/v2.5.1

api/auth/userpass/v0.*

api/auth/userpass/v0.1.0

api/auth/userpass/v0.2.0

api/auth/userpass/v0.3.0

api/auth/userpass/v0.4.0

api/auth/userpass/v0.4.1

api/auth/userpass/v1.*

api/auth/userpass/v1.1.0-development20240408

api/auth/userpass/v2.*

api/auth/userpass/v2.0.1

api/auth/userpass/v2.2.0

api/auth/userpass/v2.3.0

api/auth/userpass/v2.4.0

api/auth/userpass/v2.5.0

api/auth/userpass/v2.5.1

api/v1.*

api/v1.0.1

api/v1.0.2

api/v1.0.3

api/v1.0.4

api/v1.1.1

api/v1.100.0-development20240408

api/v1.2.0

api/v1.3.1

api/v1.5.0

api/v1.6.0

api/v1.7.0

api/v1.7.1

api/v1.7.2

api/v1.8.0

api/v1.8.1

api/v1.8.2

api/v1.8.3

api/v1.9.0

api/v1.9.1

api/v1.9.2

api/v2.*

api/v2.0.1

api/v2.1.0

api/v2.2.0

api/v2.3.0

api/v2.4.0

api/v2.5.0

api/v2.5.1

Other

before-plugin-removal

dev-namespaces-base-20250215

dev-namespaces-base-20250311

dev-namespaces-base-20250424

sdk/v0.*

sdk/v0.1.10

sdk/v0.1.11

sdk/v0.1.12

sdk/v0.1.13

sdk/v0.1.8

sdk/v0.1.9

sdk/v0.2.1

sdk/v0.3.0

sdk/v0.4.1

sdk/v0.5.0

sdk/v0.5.1

sdk/v0.5.3

sdk/v0.6.0

sdk/v0.6.1

sdk/v0.6.2

sdk/v0.7.0

sdk/v0.8.0

sdk/v0.9.0

sdk/v0.9.1

sdk/v1.*

sdk/v1.100.0-development20240408

sdk/v2.*

sdk/v2.0.1

sdk/v2.1.0

sdk/v2.2.0

sdk/v2.3.0

sdk/v2.4.0

sdk/v2.5.0

sdk/v2.5.1

v2.*

v2.0.0

v2.0.0-alpha20240329

v2.0.0-beta20240618

v2.1.0-beta20241114

v2.1.0-beta20241114.1

v2.1.0-beta20241114.2

v2.1.0-beta20241114.3

v2.2.0-beta20250213

v2.3.0-beta20250528

v2.4.0

v2.5.0

v2.5.0-beta20251125

v2.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33758.json"