GHSA-6vgr-cp5c-ffx3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6vgr-cp5c-ffx3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6vgr-cp5c-ffx3/GHSA-6vgr-cp5c-ffx3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6vgr-cp5c-ffx3
- Aliases
-
- CVE-2026-39946
- Related
- Published
- 2026-04-21T18:26:05Z
- Modified
- 2026-05-05T16:02:34.515594Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- OpenBao's SQL Injection in PostgreSQL database secrets engine
- Details
-
Impact
When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user.
This vulnerability was originally from HashiCorp Vault.
Patches
This was addressed in v2.5.3.
Workarounds
Audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
- Database specific
{ "cwe_ids": [ "CWE-89" ], "github_reviewed": true, "github_reviewed_at": "2026-04-21T18:26:05Z", "nvd_published_at": "2026-04-21T01:16:06Z", "severity": "MODERATE" }- References
-
- https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3
- https://nvd.nist.gov/vuln/detail/CVE-2026-39946
- https://github.com/openbao/openbao/pull/2931
- https://github.com/openbao/openbao/commit/80693a46ebb4fc2455f1c51ed1dd853b28c2fd77
- https://github.com/openbao/openbao
- https://github.com/openbao/openbao/releases/tag/v2.5.3
Affected packages
Go / github.com/openbao/openbao
Package
- Name
- github.com/openbao/openbao
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openbao/openbao