CVE-2026-39388
Token Renewal Bypass in OpenBao Certificate Authentication
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39388 is a vulnerability in OpenBao's certificate authentication method affecting versions up to 2.5.2. When a token renewal is requested with the parameter `disable_binding=true`, OpenBao tries to verify that the mTLS certificate presented matches the original certificate used for authentication.
Due to incorrect matching logic, the system allows token renewal if an attacker has a sibling certificate and key signed by the same Certificate Authority (CA), even if the certificate does not exactly match the original role or certificate.
This means an attacker who knows the original token or its accessor can renew tokens using a different but related certificate, effectively extending the lifetime of dynamic leases associated with the original token.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenBao's certificate authentication method allows an attacker with knowledge of the original token or its accessor to renew tokens using a sibling certificate signed by the same CA, potentially extending the lifetime of dynamic leases and maintaining access within a similar scope.
While the vulnerability poses a security risk by enabling unauthorized token renewal, it has a low severity score and limited impact on confidentiality, integrity, and availability.
There is no explicit information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows an attacker with knowledge of the original token or its accessor and a sibling certificate signed by the same CA to renew tokens and extend the lifetime of dynamic leases.
As a result, the attacker can maintain access within a similar scope as the original token for a longer period than intended, potentially leading to unauthorized access or prolonged access to sensitive secrets.
However, the overall severity is rated low (CVSS score 2.0), with low impact on confidentiality and integrity, and no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenBao to version 2.5.3 where the issue is patched.
As a workaround before upgrading, ensure that privileged roles are tightly scoped to single certificates to reduce the risk of token renewal abuse.