GHSA-vv66-6rp4-wr4f

Suggest an improvement
Source
https://github.com/advisories/GHSA-vv66-6rp4-wr4f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vv66-6rp4-wr4f/GHSA-vv66-6rp4-wr4f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vv66-6rp4-wr4f
Aliases
  • CVE-2026-42186
Published
2026-05-05T20:02:52Z
Modified
2026-05-14T21:05:57.048382Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
OpenBao's Namespace Deletion May Not Delete Data Properly
Details

Impact

When OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around.

Patches

This will be patched in OpenBao v2.5.3.

Workarounds

Users may manually remove mounts prior to deleting the namespace.

Audit logs may be used to identify repeated deletion attempts against the same namespace; sys/raw can be used to see what leases were not correctly deleted.

Database specific 
{
    "cwe_ids": [
        "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:02:52Z",
    "nvd_published_at": "2026-05-14T15:16:46Z",
    "severity": "LOW"
}
References

Affected packages

Go / github.com/openbao/openbao

Package

Name
github.com/openbao/openbao
View open source insights on deps.dev
Purl
pkg:golang/github.com/openbao/openbao

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20260420173541-6d2e0506e2b4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vv66-6rp4-wr4f/GHSA-vv66-6rp4-wr4f.json"