CVE-2026-33757
Received Received - Intake
Authentication Bypass in OpenBao via JWT/OIDC Direct Callback

Publication date: 2026-03-27

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33757
EUVD
EUVD-2026-16624
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbao openbao to 2.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in OpenBao prior to version 2.5.2 allows an attacker to perform remote phishing by tricking a user into automatically logging into the attacker's session without explicit user consent. This leads to unauthorized access to sensitive authentication tokens, which can result in high confidentiality and integrity impacts.

Such unauthorized access and potential data compromise could negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over user authentication, data confidentiality, and user consent.

The mitigation introduced in version 2.5.2, which adds an explicit user confirmation step during authentication, helps align the system with best practices for user consent and security, thereby improving compliance posture.

Executive Summary

CVE-2026-33757 is a critical vulnerability in OpenBao, an open source identity-based secrets management system, affecting versions prior to 2.5.2. The issue arises when OpenBao uses JWT/OIDC authentication with a role configured with `callback_mode` set to `direct`. In this mode, OpenBao does not prompt the user for confirmation during login.

This lack of confirmation allows an attacker to initiate an authentication request and perform "remote phishing" by tricking a victim into visiting a specially crafted URL. When the victim visits this URL, they are automatically logged into the attacker's session without explicit consent.

Although the authentication flow is based on the authorization code flow, the `direct` callback mode bypasses usual user interaction by calling back directly to the API. This enables the attacker to poll for an OpenBao token until it is issued, facilitating unauthorized access.

The vulnerability was fixed in OpenBao version 2.5.2 by adding an interactive confirmation step during the direct callback mode login process, requiring manual user interaction to complete authentication.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to your OpenBao sessions and secrets management system.

  • An attacker can remotely trick a user into visiting a malicious URL that automatically logs the user into the attacker's session.
  • The attacker can continuously poll for authentication tokens until one is issued, enabling token theft.
  • Confidentiality is compromised as unauthorized users can access sensitive data.
  • Integrity is at risk because attackers can potentially modify data without authorization.
  • Availability impact is low but the overall security breach can lead to significant operational and trust issues.
Detection Guidance

This vulnerability involves the OpenBao system not prompting for user confirmation during JWT/OIDC login when a role has callback_mode set to direct. Detection involves identifying authentication requests using direct callback mode without confirmation.

You can monitor network traffic for suspicious authorization request URLs that trigger automatic logins without user interaction. Look for repeated polling attempts to the OpenBao API token endpoint, which may indicate exploitation attempts.

Commands to detect this might include inspecting web server logs or API access logs for requests related to OIDC direct callback mode, such as:

  • Using grep or similar tools to find URLs or API calls containing parameters related to direct callback mode in OpenBao logs.
  • Monitoring for repeated token polling requests from the same IP address, which could indicate an attacker polling for tokens.
  • Checking for roles configured with callback_mode=direct in OpenBao role configurations.

However, no specific commands or detection tools are provided in the available resources.

Mitigation Strategies

To mitigate CVE-2026-33757, upgrade OpenBao to version 2.5.2 or later, which introduces an additional confirmation screen for direct callback mode logins requiring explicit user interaction.

If upgrading is not immediately possible, apply the following workarounds:

  • Remove any roles configured with callback_mode set to direct.
  • Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao.

These steps prevent automatic token issuance and reduce the risk of remote phishing attacks exploiting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart