External risk intelligence

OpenBao OIDC XSS via Authentication Error Description

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-33758

OpenBao is a secrets management system that provides a Web UI for authentication and administrative tasks. Systems of this type are frequently deployed as internet-facing or externally accessible portals to facilitate identity-based access and remote secret retrieval for users and services, making the login and error-handling surface commonly reachable from external networks.

Cross-site Scripting

Openbao

before 2.5.2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in OpenBao, an open-source secrets management system, specifically affecting installations with OIDC/JWT authentication and a particular role configuration. The issue could allow an attacker to gain access to a victim's authentication token through a web interface. The vendor has released a version addressing this vulnerability and also provided a configuration-based mitigation.

  • Flaw in secrets manager allows token theft.
  • Protects user credentials and system access.
  • Confirm relevance and verify system exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted link to a victim. When the victim clicks the link, their browser will interact with an OpenBao instance that has a specific OIDC/JWT authentication method enabled. This interaction will trigger a cross-site scripting vulnerability in the error handling of a failed authentication attempt, allowing the attacker to potentially access the victim's authentication token for the Web UI.

  • Unauthenticated network access required.
  • User interaction with a malicious link.
  • Access to victim's Web UI token.

Live Threat

Current exploitation, exposure, and threat context

When an OpenBao installation has an OIDC/JWT authentication method enabled and a role configured with `callback_mode=direct`, a cross-site scripting vulnerability in the `error_description` parameter during failed authentication could allow an attacker to access a victim user's authentication token used by the Web UI.

  • User authentication tokens.
  • Via a crafted error message parameter.
  • Token theft for unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The OpenBao administrator or platform team is responsible for addressing this vulnerability. The initial step involves identifying all OpenBao installations, confirming if the OIDC/JWT authentication method with `callback_mode=direct` is configured, and assessing the exposure of the affected page. Once identified, the accountable owner should be determined to plan remediation, which may involve vendor coordination or applying temporary risk reduction measures.

  • Application or platform team owns remediation.
  • Verify OIDC/JWT and `callback_mode=direct` roles.
  • Plan remediation based on exposure and risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenBao?

OpenBao is an open-source tool designed for identity-based secrets management. It acts as a secure vault, centralizing the storage and access control of sensitive credentials, keys, and tokens used by applications and services. By managing these secrets, it helps ensure that systems can securely retrieve the information needed for authentication without hardcoding sensitive data.

How does CVE-2026-33758 work?

This vulnerability is a Cross-Site Scripting (XSS) issue categorized under CWE-79. It occurs because the OpenBao Web UI improperly handles input within an error parameter during failed authentication attempts. An attacker can inject malicious scripts into this parameter, which the victim's browser then executes. This execution can potentially reveal the victim's active authentication token, which is used to manage secrets within the UI.

What triggers this vulnerability?

The flaw is triggered when a user clicks a malicious link that directs them to an OpenBao instance running a version prior to 2.5.2. Specifically, the instance must have the OIDC/JWT authentication method active and at least one role configured with 'callback_mode=direct'. If these specific OIDC/JWT settings are not enabled, or if the role's callback mode is different, the conditions required for this specific injection path are not met.

Is my OpenBao instance at risk?

According to Halo Surface Signal, OpenBao is often deployed as an externally accessible or internet-facing portal to support remote secret retrieval. If your instance is reachable from the internet, the potential for an attacker to target your users with a crafted link increases. You should check if your configuration uses the specific OIDC/JWT role setup mentioned, as internet-facing systems face a higher likelihood of being reachable by unauthenticated actors.

How do I secure my OpenBao deployment?

The most effective long-term step is to upgrade your OpenBao installation to version 2.5.2 or later, which replaces the vulnerable error parameter with a static message. If an immediate upgrade is not feasible, you can mitigate the risk by reviewing your authentication roles and removing any that currently have 'callback_mode' set to 'direct'. This action eliminates the specific trigger for the vulnerability while you plan for a full software update.

References