Executive Summary

CVE-2026-33758 is a critical reflected Cross-Site Scripting (XSS) vulnerability in the OpenBao identity-based secrets management system. It affects versions prior to 2.5.2 when using OIDC/JWT authentication with roles configured with callback_mode=direct. The vulnerability arises because the error_description parameter on the authentication failure page is not properly sanitized, allowing attackers to inject malicious scripts.

This flaw enables attackers to execute scripts in the victim's browser, which can lead to unauthorized access to authentication tokens used in the Web UI. The vulnerability was fixed by replacing the error_description parameter with a static error message and improving input handling and output encoding to prevent script execution.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows attackers to perform Cross-Site Scripting (XSS) attacks that can steal authentication tokens from users interacting with the OpenBao Web UI. This compromises the confidentiality, integrity, and availability of the affected system and potentially any connected systems.

• Attackers can gain unauthorized access to tokens, enabling them to impersonate users.
• Malicious scripts can be executed in the context of the victim's browser, leading to data theft or session hijacking.
• The vulnerability has a high severity score (CVSS 9.4), indicating critical impact with low attack complexity and no privileges required.

Mitigation involves upgrading to OpenBao version 2.5.2 or later, which replaces the vulnerable parameter with a static error message and requires explicit user confirmation for token issuance in direct callback mode.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a Cross-Site Scripting (XSS) attack via the `error_description` parameter in OpenBao installations using OIDC/JWT authentication with roles configured with `callback_mode=direct`. Detection involves checking for roles with `callback_mode` set to `direct` and monitoring authentication failure pages for reflected `error_description` parameters that could contain malicious scripts.

Since the vulnerability is triggered by the presence of the `error_description` parameter in the authentication failure page, you can detect attempts by inspecting HTTP requests and responses related to authentication failures for suspicious or script-containing `error_description` values.

Suggested commands to detect vulnerable configurations or exploit attempts include:

• Use grep or similar tools to find roles with `callback_mode=direct` in your OpenBao configuration files: `grep -r 'callback_mode=direct' /path/to/openbao/config`
• Monitor web server logs for requests containing `error_description` parameters with suspicious content: `grep 'error_description=' /var/log/nginx/access.log` or `grep 'error_description=' /var/log/httpd/access_log`
• Use a web proxy or interception tool (e.g., Burp Suite) to capture and analyze authentication failure responses for reflected script content in the `error_description` parameter.

Note that no specific detection commands are provided in the resources, but these general approaches align with the nature of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate CVE-2026-33758, the primary immediate step is to remove or disable any roles configured with `callback_mode=direct` in your OpenBao installation, as this configuration enables the vulnerable code path.

Additionally, upgrading OpenBao to version 2.5.2 or later is strongly recommended, as this version replaces the vulnerable `error_description` parameter with a static error message and implements multiple fixes to prevent XSS attacks in the JWT/OIDC authentication flow.

• Remove roles with `callback_mode=direct` from your OpenBao configuration.
• Upgrade OpenBao to version 2.5.2 or later where the vulnerability is patched.
• Ensure that your OpenBao deployment uses the updated authentication flow that prompts for user confirmation during direct callback mode to prevent unauthorized token issuance.

These steps prevent attackers from exploiting the reflected XSS vulnerability and protect authentication tokens from being accessed via malicious scripts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to access authentication tokens used in the Web UI by victims through a cross-site scripting (XSS) attack. This compromises the confidentiality, integrity, and availability of authentication tokens and potentially sensitive user data.

Such unauthorized access and token compromise could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access and data breaches.

By enabling attackers to steal tokens, the vulnerability undermines security controls that are essential for compliance with these standards, potentially resulting in non-compliance due to exposure of protected data or failure to safeguard authentication mechanisms.

Useful 0 Not Useful 0