CVE-2026-33758
XSS in OpenBao OIDC Authentication Exposes User Tokens
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33758 is a critical reflected Cross-Site Scripting (XSS) vulnerability in the OpenBao identity-based secrets management system. It affects versions prior to 2.5.2 when using OIDC/JWT authentication with roles configured with callback_mode=direct. The vulnerability arises because the error_description parameter on the authentication failure page is not properly sanitized, allowing attackers to inject malicious scripts.
This flaw enables attackers to execute scripts in the victim's browser, which can lead to unauthorized access to authentication tokens used in the Web UI. The vulnerability was fixed by replacing the error_description parameter with a static error message and improving input handling and output encoding to prevent script execution.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to perform Cross-Site Scripting (XSS) attacks that can steal authentication tokens from users interacting with the OpenBao Web UI. This compromises the confidentiality, integrity, and availability of the affected system and potentially any connected systems.
- Attackers can gain unauthorized access to tokens, enabling them to impersonate users.
- Malicious scripts can be executed in the context of the victim's browser, leading to data theft or session hijacking.
- The vulnerability has a high severity score (CVSS 9.4), indicating critical impact with low attack complexity and no privileges required.
Mitigation involves upgrading to OpenBao version 2.5.2 or later, which replaces the vulnerable parameter with a static error message and requires explicit user confirmation for token issuance in direct callback mode.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a Cross-Site Scripting (XSS) attack via the `error_description` parameter in OpenBao installations using OIDC/JWT authentication with roles configured with `callback_mode=direct`. Detection involves checking for roles with `callback_mode` set to `direct` and monitoring authentication failure pages for reflected `error_description` parameters that could contain malicious scripts.
Since the vulnerability is triggered by the presence of the `error_description` parameter in the authentication failure page, you can detect attempts by inspecting HTTP requests and responses related to authentication failures for suspicious or script-containing `error_description` values.
Suggested commands to detect vulnerable configurations or exploit attempts include:
- Use grep or similar tools to find roles with `callback_mode=direct` in your OpenBao configuration files: `grep -r 'callback_mode=direct' /path/to/openbao/config`
- Monitor web server logs for requests containing `error_description` parameters with suspicious content: `grep 'error_description=' /var/log/nginx/access.log` or `grep 'error_description=' /var/log/httpd/access_log`
- Use a web proxy or interception tool (e.g., Burp Suite) to capture and analyze authentication failure responses for reflected script content in the `error_description` parameter.
Note that no specific detection commands are provided in the resources, but these general approaches align with the nature of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-33758, the primary immediate step is to remove or disable any roles configured with `callback_mode=direct` in your OpenBao installation, as this configuration enables the vulnerable code path.
Additionally, upgrading OpenBao to version 2.5.2 or later is strongly recommended, as this version replaces the vulnerable `error_description` parameter with a static error message and implements multiple fixes to prevent XSS attacks in the JWT/OIDC authentication flow.
- Remove roles with `callback_mode=direct` from your OpenBao configuration.
- Upgrade OpenBao to version 2.5.2 or later where the vulnerability is patched.
- Ensure that your OpenBao deployment uses the updated authentication flow that prompts for user confirmation during direct callback mode to prevent unauthorized token issuance.
These steps prevent attackers from exploiting the reflected XSS vulnerability and protect authentication tokens from being accessed via malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to access authentication tokens used in the Web UI by victims through a cross-site scripting (XSS) attack. This compromises the confidentiality, integrity, and availability of authentication tokens and potentially sensitive user data.
Such unauthorized access and token compromise could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access and data breaches.
By enabling attackers to steal tokens, the vulnerability undermines security controls that are essential for compliance with these standards, potentially resulting in non-compliance due to exposure of protected data or failure to safeguard authentication mechanisms.