Description
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
Published: 2026-04-21
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection in PostgreSQL database secrets engine
Action: Apply patch
AI Analysis

Impact

OpenBao, an open source identity-based secrets management system, failed to properly quote schema names when revoking privileges in its PostgreSQL database secrets engine before version 2.5.3. This flaw allows crafted schema names to bypass normal quoting mechanisms, potentially resulting in role revocation failures or, in less common cases, SQL injection executed with the privileges of the OpenBao management user. The injection could compromise confidentiality, integrity, or availability of the database data.

Affected Systems

Vulnerable installations of OpenBao up to and including version 2.5.2. The issue is specific to deployments that employ the PostgreSQL database secrets engine for role management.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score is unavailable, suggesting no readily available data on exploitation likelihood. Because the vulnerability requires exploitation of the OpenBao API or management path, it is likely to be an internal or authenticated vector rather than a fully remote public one. The vulnerability is not listed in CISA’s KEV catalog, which reduces the urgency of immediate action but still warrants remediation due to the potential for privilege escalation.

Generated by OpenCVE AI on April 21, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenBao to version 2.5.3 or later to eliminate the quoting flaw.
  • If an upgrade cannot be performed immediately, audit existing PostgreSQL schema names for special characters and restrict database users from creating new schemas or granting privileges that could be leveraged by malicious input.
  • Ensure that the database user or role used by OpenBao for the secrets engine is limited to the minimum necessary privileges and that any input used to form SQL statements is properly validated or escaped, following the principle of putting input validation before database interaction.

Generated by OpenCVE AI on April 21, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6vgr-cp5c-ffx3 OpenBao's SQL Injection in PostgreSQL database secrets engine
History

Fri, 24 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Openbao
Openbao openbao
Vendors & Products Openbao
Openbao openbao

Tue, 21 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
Title OpenBao allows SQL Injection in PostgreSQL database secrets engine
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Openbao Openbao
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:34:21.088Z

Reserved: 2026-04-07T22:40:33.821Z

Link: CVE-2026-39946

cve-icon Vulnrichment

Updated: 2026-04-21T13:34:17.196Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T01:16:06.790

Modified: 2026-04-24T13:28:39.900

Link: CVE-2026-39946

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T00:19:39Z

Links: CVE-2026-39946 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:37:55Z

Weaknesses