{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33757", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.125Z", "datePublished": "2026-03-27T14:10:58.639Z", "dateUpdated": "2026-04-01T03:55:23.497Z"}, "containers": {"cna": {"title": "OpenBao lacks user confirmation for OIDC direct callback mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"}, {"name": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"}, {"name": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4", "tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:10:58.639Z"}, "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."}], "source": {"advisory": "GHSA-7q7g-x6vg-xpc3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33757"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T03:55:23.497Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T12:03:22.886283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:04:08.100Z"}}], "cna": {"title": "OpenBao lacks user confirmation for OIDC direct callback mode", "source": {"advisory": "GHSA-7q7g-x6vg-xpc3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.5.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964", "name": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964", "tags": ["x_refsource_MISC"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4", "name": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:10:58.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33757", "state": "PUBLISHED", "dateUpdated": "2026-04-01T03:55:23.497Z", "dateReserved": "2026-03-23T18:30:14.125Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T14:10:58.639Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1489D2B-6994-46B2-8550-256B9EFCFD48", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."}], "id": "CVE-2026-33757", "lastModified": "2026-03-30T17:23:24.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T15:16:57.690", "references": [{"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenBao: lack of user confirmation for OpenBao OIDC direct callback mode", "id": "2452269", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452269"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-384", "details": ["A flaw was found in OpenBao. A missing prompt for user confirmation when logging in via the JWT/OIDC authentication method with a role configured to use `callback_mode=direct` allows an attacker to initiate an authentication request and perform a \"remote phishing\" attack by tricking an authenticated user into visiting a crafted URL, automatically logging the user into the session of the attacker."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, review JWT/OIDC authentication configurations and remove or disable any roles that have `callback_mode=direct`, or enforce a manual confirmation prompt for every session specifically for the Client ID used by OpenBao."}, "name": "CVE-2026-33757", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}], "public_date": "2026-03-27T14:10:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33757\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33757\nhttps://datatracker.ietf.org/doc/html/rfc8628#section-5.4\nhttps://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964\nhttps://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"], "statement": "To exploit this vulnerability, an attacker needs to convince a user to visit a crafted URL, limiting the exposure of this flaw. Due to this reason, this issue has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openbao", "source": "cna", "vendor": "openbao"}, "product": "openbao", "vendor": "openbao"}], "analysis": {"en": {"generated_at": "2026-03-30T18:51:25.183800+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenBao version 2.5.2 or later to enable the required confirmation screen for direct callback logins", "Remove or reconfigure any roles that use callback_mode=\"direct\" so that only legitimate authentication flows are possible", "If an upgrade cannot be performed immediately, disable direct callback mode entirely or enforce confirmation on the token issuer side for the OpenBao client ID", "Monitor authentication logs for unusual direct callback activity and block any suspicious redirects", "Consider disabling OIDC or direct callback capability if it is not essential for business operations"], "summary": {"action": "Immediate Upgrade", "impact": "Unauthorized session takeover via automated OIDC login"}, "threat_synthesis": {"affected_systems": "The flaw exists in all OpenBao deployments using versions earlier than 2.5.2 that configure any role with callback_mode set to direct. Versions 2.5.2 and later introduce a mandatory confirmation prompt for direct callback logins, thereby mitigating the vulnerability. Operations that rely on direct OIDC callbacks in older releases are therefore exposed.", "description_and_impact": "OpenBao permits an attacker to launch an OIDC authentication request using the direct callback mode without any user confirmation. An attacker can construct a URL that, when a victim visits it, automatically completes the login flow and issues a bearer token directly to the attacker. The compromised token grants the attacker full privileges of the victim user within the OpenBao system. This vulnerability is a classic remote phishing scenario and represents a failure in authentication flow design, corresponding to the CWE-384 weakness in missing user confirmation for sensitive operations.", "risk_and_exploitability": "The CVSS score of 9.6 indicates a very high impact, although the EPSS score of under 1% suggests that exploitation is presently uncommon. Attackers only need to supply a crafted link and persuade a target user to click it; no additional code execution or privileged access is required. Because the flaw uses the OpenBao token issuer itself, successful exploitation results in immediate access to the victim\u2019s session. Although the vulnerability is not yet listed in the CISA KEV catalog, its high severity and low overhead for attackers still pose a significant risk to any OpenBao instance still running a vulnerable version or retaining direct callback roles."}}}}, "created": "2026-03-27T20:28:42.009982+00:00", "updated": "2026-03-30T20:57:04.200355+00:00", "vendors": ["openbao", "openbao$PRODUCT$openbao"]}