VDB

CVE-2026-33757

CVE-2026-33757 PUBLISHED CVSS 9.600000381469727 CRITICAL

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

EPSS 0.04% · 12.6th percentile

Risk Scores

CVSS 3.1
9.600000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS Score
0.04%
12.6th percentile

Affected Products

VendorProductVersions
github.comopenbao/openbao0, 0, 0
openbaoopenbao< 2.5.2, < 2.5.2, < 2.5.2

Exploit Intelligence

Timeline

  • Mar 26, 2026 CVE Published
  • Mar 27, 2026 CVE Updated
  • Mar 27, 2026 Coalition ESS Score
  • Mar 27, 2026 Security Advisory
  • Mar 27, 2026 PoC Published
  • Mar 27, 2026 PoC Published
  • Mar 28, 2026 EPSS Score
  • Mar 30, 2026 PoC Published
  • Mar 30, 2026 PoC Published
  • Apr 19, 2026 PoC Published
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›