Description
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. This vulnerability is fixed in 2.5.3.
Published: 2026-05-14
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenBao allows users to create namespaces that hold secrets. Prior to version 2.5.3, when an attempt to delete a namespace fails, subsequent retries do not fully remove all data before the namespace is marked as deleted. The result is that leftover leases and unrelated storage entries persist, which can lead to data exposure or loss of data integrity. The CVSS score of 2.3 indicates a low severity, but the persistence of data after a namespace is supposedly removed can still pose a risk in high‑confidentiality environments.

Affected Systems

Vulnerable OpenBao installations are those running any version earlier than 2.5.3. The vendor OpenBao is affected.

Risk and Exploitability

The vulnerability requires the attacker to have the ability to initiate or retry a namespace deletion, which typically demands local or privileged access to the OpenBao instance. Although the EPSS score is not available and the issue is not listed in CISA KEV, the potential for residual data to remain after removal can be exploited in environments where secrets are highly sensitive. The ease of exploitation is low to medium, subject to the existence of valid deletion requests and sufficient permissions. The impact is mainly data persistence and possible inadvertent leakage rather than immediate remote code execution or denial of service.

Generated by OpenCVE AI on May 14, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenBao to version 2.5.3 or later to apply the fixed deletion logic.
  • If an upgrade cannot be performed immediately, verify existing namespace deletions and manually remove any orphaned leases or data entries that remain after namespaces are marked deleted.
  • Restrict deletion permissions to users with strictly necessary privileges to reduce the window for accidental data persistence.

Generated by OpenCVE AI on May 14, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vv66-6rp4-wr4f OpenBao's Namespace Deletion May Not Delete Data Properly
History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openbao
Openbao openbao
Vendors & Products Openbao
Openbao openbao

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. This vulnerability is fixed in 2.5.3.
Title OpenBao's Namespace Deletion May Not Delete Data Properly
Weaknesses CWE-212
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Openbao Openbao
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:36:42.480Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42186

cve-icon Vulnrichment

Updated: 2026-05-14T15:36:38.216Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T15:16:46.337

Modified: 2026-05-14T17:18:18.640

Link: CVE-2026-42186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses