CVE-2026-40264 — OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation

Description

### Impact OpenBao's namespaces provide multi-tenant separation. A tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. ### Patches This was addressed in v2.5.3.

How to fix CVE-2026-40264

To remediate CVE-2026-40264, upgrade the affected package to a fixed version below.

Go/github.com/openbao/openbao—upgrade to 0.0.0-20260420162526-f58111d2ca54 or later

Is CVE-2026-40264 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.0.0-20260420162526-f58111d2ca54

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40264
PATCHgithub.com/openbao/openbao
WEBgithub.com/openbao/openbao/commit/059cc5950303688335d5c8ab9af8e453795d693a
WEBgithub.com/openbao/openbao/pull/2934
WEB