Description
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
Published: 2026-04-21
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑namespace token renewal or revocation by an administrator in another tenant
Action: Apply Patch
AI Analysis

Impact

OpenBao separates tenants through namespaces, but before version 2.5.3 a token’s accessor could be leaked by one tenant and then used by a privileged administrator in a different tenant to either renew or revoke that token. This breach of separation effectively allows an attacker to extend or deny access to secrets that belong to another tenant, exposing the original tenant’s tokens and the secrets they protect. The flaw is classified as CWE‑1259, an information‑exposure weakness through token accessor leakage.

Affected Systems

The vulnerability affects all OpenBao deployments of the openbao product running any version earlier than 2.5.3. No additional product or version constraints are listed in the advisory.

Risk and Exploitability

The CVSS score of 2.0 reflects a low overall severity, and the EPSS indicator of less than 1% suggests a very low probability of exploitation at this time. The issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to expose a token accessor and then rely on a privileged administrator within another namespace to act upon it; the scope of the impact is confined to the token’s lifetime and the privileges of the admin. Consequently, while the potential for denial of access exists, the practical risk is moderate due to the limited surface area and the need for cross‑namespace administrative privilege.

Generated by OpenCVE AI on April 22, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenBao to version 2.5.3 or later, where cross‑namespace token renewal and revocation are properly isolated.
  • Restrict privileged administrator permissions so that administrators cannot act on tokens in namespaces to which they are not granted access.
  • Monitor system logs for unexpected token renewal or revocation events across namespaces and investigate anomalies immediately.

Generated by OpenCVE AI on April 22, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p49j-v9wc-wg57 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
History

Fri, 24 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Openbao
Openbao openbao
Vendors & Products Openbao
Openbao openbao

Tue, 21 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
Title OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
Weaknesses CWE-1259
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openbao Openbao
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:30:51.975Z

Reserved: 2026-04-10T17:31:45.787Z

Link: CVE-2026-40264

cve-icon Vulnrichment

Updated: 2026-04-21T19:30:48.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T01:16:06.917

Modified: 2026-04-24T13:29:24.040

Link: CVE-2026-40264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses