CVE-2026-40264
Privilege Escalation via Token Accessor Leak in OpenBao Namespaces
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1259 | The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40264 is a vulnerability in OpenBao, an open source identity-based secrets management system that uses namespaces for multi-tenant separation.
Prior to version 2.5.3, if a tenant leaked token accessors, a privileged administrator from another tenant could renew or revoke that tenant's tokens. This means that token management was not properly isolated between tenants.
The vulnerability allows cross-namespace token renewal and revocation by privileged administrators, which is a flaw in tenant isolation.
This issue was fixed in OpenBao version 2.5.3.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenBao allows privileged administrators from one tenant to renew or revoke tokens of another tenant due to insufficient tenant isolation. However, the vulnerability does not impact confidentiality or integrity, only availability with a low severity score.
Since the vulnerability does not affect confidentiality or integrity of data, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.
Nevertheless, the ability for cross-tenant token management could raise concerns about proper tenant isolation and access controls, which are important for compliance. Organizations should consider the impact of availability issues and ensure that the patched version (2.5.3) is used to maintain compliance.
How can this vulnerability impact me? :
The vulnerability has a low severity impact with a CVSS v4 base score of 2.0.
It does not affect confidentiality or integrity of the system.
The main impact is on availability, where a privileged administrator in one tenant can revoke or renew tokens of another tenant, potentially disrupting token-based access for that tenant.
This could lead to denial of service or interruptions in token usage for affected tenants.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenBao to version 2.5.3 or later, where the issue has been fixed.
This update addresses the insufficient tenant isolation in token management that allowed privileged administrators in one tenant to renew or revoke tokens in another tenant.