Skip to content

OSG-SEC-2026-04-02 OpenBao XSS Vulnerabilities (CVE-2026-33758, CVE-2026-33757)

Dear OSG Security Contacts,

OpenBao is an open source identity-based secrets management system. A reflected cross-site scripting (XSS) vulnerability (CVE-2026-33758) exists in OpenBao. In addition, a related vulnerability (CVE-2026-33757) enables a “remote phishing” attack without prompting a user.

IMPACTED VERSIONS:

OpenBao versions prior to 2.5.2 are affected.

WHAT ARE THE VULNERABILITIES:

OpenBao installations that have an OIDC/JWT authentication method enabled with a role configured to use callbackmode=direct are vulnerable to XSS via the error_description parameter on the page for a failed authentication. This allows an attacker to access the token used by an authenticated user in the Web UI.

To exploit this vulnerability, an attacker needs to convince a user to visit a crafted URL. Successful exploitation could allow an attacker to steal a user’s authentication token and gain access to secrets managed by OpenBao.

A similar attack could also be performed if an OIDC token issuer does not always prompt the user to approve. This affects both callbackmode=direct and callbackmode=device but OpenBao can only intervene with the former so it is best to make sure the token issuer always prompts for approval. The latest OpenBao version inserts an additional confirmation prompt by default with callbackmode=direct but that can be disabled if the token issuer has its own prompt.

WHAT YOU SHOULD DO:

Upgrade OpenBao to version 2.5.2 or later. OpenBao 2.5.2 is available in OSG 24 repositories, and OSG 25 is updated via EPEL. As a mitigation for the first CVE, callbackmode=direct could be disabled in all OIDC roles, but switching to callbackmode=device makes the second CVE worse unless the token issuer always prompts the user for approval. Monitor logs for suspicious authentication failures or unusual URL patterns.

REFERENCES:

[1] https://access.redhat.com/security/cve/cve-2026-33758
[2] https://access.redhat.com/security/cve/cve-2026-33757
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2452294
[4] https://bugzilla.redhat.com/show_bug.cgi?id=2452269
[5] https://nvd.nist.gov/vuln/detail/CVE-2026-33758
[6] https://nvd.nist.gov/vuln/detail/CVE-2026-33757
[7] https://repo.osg-htc.org/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team