CVE-2026-40264
OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
In short
OpenBao's token system allowed administrators in one separate tenant area to revoke or renew tokens from another tenant if they knew the token's ID. This bypassed the isolation between different users/organizations that should keep them separate.
Technical detail
A cross-namespace token manipulation vulnerability in OpenBao prior to v2.5.3 permits privileged administrators to revoke or renew tokens across namespace boundaries using exposed token accessors. Exploitation requires knowledge of the target token accessor and administrative privileges in a different namespace; the impact undermines multi-tenant isolation guarantees.
Summary generated and translated by AI from the official description.
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
openbao · openbaoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →