CVE-2026-40264
Received Received - Intake
Privilege Escalation via Token Accessor Leak in OpenBao Namespaces

Publication date: 2026-04-21

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-24
Generated
2026-06-19
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-18
NVD
CVE-2026-40264
EUVD
EUVD-2026-24037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbao openbao to 2.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1259 The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40264 is a vulnerability in OpenBao, an open source identity-based secrets management system that uses namespaces for multi-tenant separation.

Prior to version 2.5.3, if a tenant leaked token accessors, a privileged administrator from another tenant could renew or revoke that tenant's tokens. This means that token management was not properly isolated between tenants.

The vulnerability allows cross-namespace token renewal and revocation by privileged administrators, which is a flaw in tenant isolation.

This issue was fixed in OpenBao version 2.5.3.

Impact Analysis

The vulnerability has a low severity impact with a CVSS v4 base score of 2.0.

It does not affect confidentiality or integrity of the system.

The main impact is on availability, where a privileged administrator in one tenant can revoke or renew tokens of another tenant, potentially disrupting token-based access for that tenant.

This could lead to denial of service or interruptions in token usage for affected tenants.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenBao to version 2.5.3 or later, where the issue has been fixed.

This update addresses the insufficient tenant isolation in token management that allowed privileged administrators in one tenant to renew or revoke tokens in another tenant.

Compliance Impact

The vulnerability in OpenBao allows privileged administrators from one tenant to renew or revoke tokens of another tenant due to insufficient tenant isolation. However, the vulnerability does not impact confidentiality or integrity, only availability with a low severity score.

Since the vulnerability does not affect confidentiality or integrity of data, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

Nevertheless, the ability for cross-tenant token management could raise concerns about proper tenant isolation and access controls, which are important for compliance. Organizations should consider the impact of availability issues and ensure that the patched version (2.5.3) is used to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart