CVE-2026-42186

Source
https://cve.org/CVERecord?id=CVE-2026-42186
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42186.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42186
Aliases
Published
2026-05-14T14:36:14.197Z
Modified
2026-07-15T01:48:57.703254305Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
OpenBao's Namespace Deletion May Not Delete Data Properly
Details

OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. This vulnerability is fixed in 2.5.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-212"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42186.json"
}
References

Affected packages

Git / github.com/openbao/openbao

Affected ranges

Type
GIT
Repo
https://github.com/openbao/openbao
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.3"
        }
    ]
}

Affected versions

api/auth/approle/v0.*
api/auth/approle/v0.1.0
api/auth/approle/v0.1.1
api/auth/approle/v0.2.0
api/auth/approle/v0.3.0
api/auth/approle/v0.4.0
api/auth/approle/v0.4.1
api/auth/approle/v1.*
api/auth/approle/v1.1.0-development20240408
api/auth/approle/v2.*
api/auth/approle/v2.0.1
api/auth/approle/v2.2.0
api/auth/approle/v2.3.0
api/auth/approle/v2.4.0
api/auth/approle/v2.5.0
api/auth/approle/v2.5.1
api/auth/aws/v0.*
api/auth/aws/v0.1.0
api/auth/aws/v0.2.0
api/auth/aws/v0.3.0
api/auth/aws/v0.4.0
api/auth/aws/v0.4.1
api/auth/aws/v1.*
api/auth/aws/v1.1.0-development20240408
api/auth/azure/v0.*
api/auth/azure/v0.1.0
api/auth/azure/v0.2.0
api/auth/azure/v0.3.0
api/auth/azure/v0.4.0
api/auth/azure/v0.4.1
api/auth/azure/v1.*
api/auth/azure/v1.1.0-development20240408
api/auth/gcp/v0.*
api/auth/gcp/v0.1.0
api/auth/gcp/v0.2.0
api/auth/gcp/v0.3.0
api/auth/gcp/v0.4.0
api/auth/gcp/v0.4.1
api/auth/gcp/v1.*
api/auth/gcp/v1.1.0-development20240408
api/auth/jwt/v2.*
api/auth/jwt/v2.4.0
api/auth/jwt/v2.5.0
api/auth/jwt/v2.5.1
api/auth/kubernetes/v1.*
api/auth/kubernetes/v1.1.0-development20240408
api/auth/kubernetes/v2.*
api/auth/kubernetes/v2.0.1
api/auth/kubernetes/v2.2.0
api/auth/kubernetes/v2.3.0
api/auth/kubernetes/v2.4.0
api/auth/kubernetes/v2.5.0
api/auth/kubernetes/v2.5.1
api/auth/ldap/v1.*
api/auth/ldap/v1.1.0-development20240408
api/auth/ldap/v2.*
api/auth/ldap/v2.0.1
api/auth/ldap/v2.2.0
api/auth/ldap/v2.3.0
api/auth/ldap/v2.4.0
api/auth/ldap/v2.5.0
api/auth/ldap/v2.5.1
api/auth/userpass/v0.*
api/auth/userpass/v0.1.0
api/auth/userpass/v0.2.0
api/auth/userpass/v0.3.0
api/auth/userpass/v0.4.0
api/auth/userpass/v0.4.1
api/auth/userpass/v1.*
api/auth/userpass/v1.1.0-development20240408
api/auth/userpass/v2.*
api/auth/userpass/v2.0.1
api/auth/userpass/v2.2.0
api/auth/userpass/v2.3.0
api/auth/userpass/v2.4.0
api/auth/userpass/v2.5.0
api/auth/userpass/v2.5.1
api/v1.*
api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4
api/v1.1.1
api/v1.100.0-development20240408
api/v1.2.0
api/v1.3.1
api/v1.5.0
api/v1.6.0
api/v1.7.0
api/v1.7.1
api/v1.7.2
api/v1.8.0
api/v1.8.1
api/v1.8.2
api/v1.8.3
api/v1.9.0
api/v1.9.1
api/v1.9.2
api/v2.*
api/v2.0.1
api/v2.1.0
api/v2.2.0
api/v2.3.0
api/v2.4.0
api/v2.5.0
api/v2.5.1
Other
before-plugin-removal
dev-namespaces-base-20250215
dev-namespaces-base-20250311
dev-namespaces-base-20250424
sdk/v0.*
sdk/v0.1.10
sdk/v0.1.11
sdk/v0.1.12
sdk/v0.1.13
sdk/v0.1.8
sdk/v0.1.9
sdk/v0.2.1
sdk/v0.3.0
sdk/v0.4.1
sdk/v0.5.0
sdk/v0.5.1
sdk/v0.5.3
sdk/v0.6.0
sdk/v0.6.1
sdk/v0.6.2
sdk/v0.7.0
sdk/v0.8.0
sdk/v0.9.0
sdk/v0.9.1
sdk/v1.*
sdk/v1.100.0-development20240408
sdk/v2.*
sdk/v2.0.1
sdk/v2.1.0
sdk/v2.2.0
sdk/v2.3.0
sdk/v2.4.0
sdk/v2.5.0
sdk/v2.5.1
v2.*
v2.0.0
v2.0.0-alpha20240329
v2.0.0-beta20240618
v2.1.0-beta20241114
v2.1.0-beta20241114.1
v2.1.0-beta20241114.2
v2.1.0-beta20241114.3
v2.2.0-beta20250213
v2.3.0-beta20250528
v2.4.0
v2.5.0
v2.5.0-beta20251125
v2.5.1
v2.5.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42186.json"