VDB
CVE-2026-39946
CVE-2026-39946
PUBLISHED
CVSS 4.599999904632568 MEDIUM
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
EPSS 0.03% · 9.9th percentile
Risk Scores
CVSS v4.0
4.599999904632568
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
EPSS Score
0.03%
9.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| openbao | openbao | < 2.5.3 |
Timeline
- Apr 20, 2026 PoC Published
- Apr 21, 2026 CVE Published
- Apr 21, 2026 PoC Published
- Apr 22, 2026 Security Advisory
- Apr 24, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score