CVE-2026-39946
OpenBao's SQL Injection in PostgreSQL database secrets engine
4.9
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
### Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was originally from HashiCorp Vault. ### Patches This was addressed in v2.5.3. ### Workarounds Audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
How to fix CVE-2026-39946
To remediate CVE-2026-39946, upgrade the affected package to a fixed version below.
- —upgrade to 0.0.0-20260420155735-b596b0882620 or later
Is CVE-2026-39946 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.0.0-20260420155735-b596b0882620
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |