CVE-2026-46405
Published:May 31, 2026
Updated:June 13, 2026
Impact In OpenBao's Kerberos auth method on the "GET" handler, or when an "Authorization: Negotiate" header is supplied, the response is includes a "logical.Auth" object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of "sys/raw". At most this could cause storage usage. Patches This is fixed in OpenBao v2.5.4. Workarounds Users may set a rate limit quota to limit the creation of these paths. As the path is unauthenticated, it isn't possible to deny access to it. Reporter This was discovered by an anonymous reporter.
Affected Packages
github.com/openbao/openbao (GO):
Affected version(s) >=v0.0.0-20231109181733-93b1d803cb32 <v2.5.4Fix Suggestion:
Update to version v2.5.4Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
EPSS
Base Score:
0.08