CVE-2026-33757
Authentication Bypass in OpenBao via JWT/OIDC Direct Callback
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenBao prior to version 2.5.2 allows an attacker to perform remote phishing by tricking a user into automatically logging into the attacker's session without explicit user consent. This leads to unauthorized access to sensitive authentication tokens, which can result in high confidentiality and integrity impacts.
Such unauthorized access and potential data compromise could negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over user authentication, data confidentiality, and user consent.
The mitigation introduced in version 2.5.2, which adds an explicit user confirmation step during authentication, helps align the system with best practices for user consent and security, thereby improving compliance posture.
Can you explain this vulnerability to me?
CVE-2026-33757 is a critical vulnerability in OpenBao, an open source identity-based secrets management system, affecting versions prior to 2.5.2. The issue arises when OpenBao uses JWT/OIDC authentication with a role configured with `callback_mode` set to `direct`. In this mode, OpenBao does not prompt the user for confirmation during login.
This lack of confirmation allows an attacker to initiate an authentication request and perform "remote phishing" by tricking a victim into visiting a specially crafted URL. When the victim visits this URL, they are automatically logged into the attacker's session without explicit consent.
Although the authentication flow is based on the authorization code flow, the `direct` callback mode bypasses usual user interaction by calling back directly to the API. This enables the attacker to poll for an OpenBao token until it is issued, facilitating unauthorized access.
The vulnerability was fixed in OpenBao version 2.5.2 by adding an interactive confirmation step during the direct callback mode login process, requiring manual user interaction to complete authentication.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to your OpenBao sessions and secrets management system.
- An attacker can remotely trick a user into visiting a malicious URL that automatically logs the user into the attacker's session.
- The attacker can continuously poll for authentication tokens until one is issued, enabling token theft.
- Confidentiality is compromised as unauthorized users can access sensitive data.
- Integrity is at risk because attackers can potentially modify data without authorization.
- Availability impact is low but the overall security breach can lead to significant operational and trust issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the OpenBao system not prompting for user confirmation during JWT/OIDC login when a role has callback_mode set to direct. Detection involves identifying authentication requests using direct callback mode without confirmation.
You can monitor network traffic for suspicious authorization request URLs that trigger automatic logins without user interaction. Look for repeated polling attempts to the OpenBao API token endpoint, which may indicate exploitation attempts.
Commands to detect this might include inspecting web server logs or API access logs for requests related to OIDC direct callback mode, such as:
- Using grep or similar tools to find URLs or API calls containing parameters related to direct callback mode in OpenBao logs.
- Monitoring for repeated token polling requests from the same IP address, which could indicate an attacker polling for tokens.
- Checking for roles configured with callback_mode=direct in OpenBao role configurations.
However, no specific commands or detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-33757, upgrade OpenBao to version 2.5.2 or later, which introduces an additional confirmation screen for direct callback mode logins requiring explicit user interaction.
If upgrading is not immediately possible, apply the following workarounds:
- Remove any roles configured with callback_mode set to direct.
- Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao.
These steps prevent automatic token issuance and reduce the risk of remote phishing attacks exploiting this vulnerability.