{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33758", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.125Z", "datePublished": "2026-03-27T14:12:33.941Z", "dateUpdated": "2026-03-27T19:58:18.047Z"}, "containers": {"cna": {"title": "OpenBao has Reflected XSS in its OIDC authentication error message", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"}, {"name": "https://github.com/openbao/openbao/pull/2709", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/pull/2709"}, {"name": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662"}, {"name": "https://github.com/openbao/openbao/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/releases/tag/v2.5.2"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:12:33.941Z"}, "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`."}], "source": {"advisory": "GHSA-cpj3-3r2f-xj59", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:55:28.333530Z", "id": "CVE-2026-33758", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:58:18.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33758", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T18:55:28.333530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:55:40.953Z"}}], "cna": {"title": "OpenBao has Reflected XSS in its OIDC authentication error message", "source": {"advisory": "GHSA-cpj3-3r2f-xj59", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.5.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/pull/2709", "name": "https://github.com/openbao/openbao/pull/2709", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662", "name": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openbao/openbao/releases/tag/v2.5.2", "name": "https://github.com/openbao/openbao/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:12:33.941Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33758", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:58:18.047Z", "dateReserved": "2026-03-23T18:30:14.125Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T14:12:33.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1489D2B-6994-46B2-8550-256B9EFCFD48", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`."}], "id": "CVE-2026-33758", "lastModified": "2026-03-30T17:21:54.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:57.863", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/openbao/openbao/pull/2709"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openbao/openbao/releases/tag/v2.5.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenBao: reflected XSS in OpenBao OIDC authentication error message", "id": "2452294", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452294"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in OpenBao. Installations that have an OIDC/JWT authentication method enabled with a role configured to use `callback_mode=direct` are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker to access the token used by an authenticated user in the Web UI."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, review JWT/OIDC authentication configurations and remove or disable any roles that have `callback_mode=direct`."}, "name": "CVE-2026-33758", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}], "public_date": "2026-03-27T14:12:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33758\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33758\nhttps://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662\nhttps://github.com/openbao/openbao/pull/2709\nhttps://github.com/openbao/openbao/releases/tag/v2.5.2\nhttps://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"], "statement": "To exploit this vulnerability, an attacker needs to convince a user to visit a crafted URL, limiting the exposure of this flaw. Due to this reason, this issue has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openbao", "source": "cna", "vendor": "openbao"}, "product": "openbao", "vendor": "openbao"}], "analysis": {"en": {"generated_at": "2026-03-30T18:25:58.097998+00:00", "value": {"mitigation_remediation": ["Apply the OpenBao v2.5.2 or later update.", "Remove all OIDC roles that have callback_mode set to direct.", "Verify that no such roles remain in the configuration."], "summary": {"action": "Patch Immediately", "impact": "Token Theft via Reflected XSS"}, "threat_synthesis": {"affected_systems": "OpenBao installations with OIDC/JWT authentication enabled and any role configured with callback_mode set to direct are affected. The flaw exists in all releases prior to version 2.5.2; the fix is implemented in v2.5.2 through a static error message that removes the vulnerable parameter.", "description_and_impact": "The vulnerability arises from an unsanitized error_description parameter displayed on the OIDC authentication error page, which allows attackers to inject arbitrary script that runs in the victim's browser. When the script executes, it can read and exfiltrate the authentication token that the victim uses in the OpenBao web interface, effectively compromising the confidentiality of the victim\u2019s session and enabling unauthorized access to the victim\u2019s secrets.", "risk_and_exploitability": "The CVSS score of 9.4 indicates a high severity. The EPSS score is less than 1%, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting a currently low exploitation likelihood. Attackers can exploit the reflected XSS by crafting a malicious error_description value and tricking a victim into visiting the resulting error page, causing the attacker\u2019s script to run in the victim\u2019s browser and steal the authentication token."}}}}, "created": "2026-03-27T20:28:40.126466+00:00", "updated": "2026-03-30T20:57:03.294316+00:00", "vendors": ["openbao", "openbao$PRODUCT$openbao"]}