CVE-2026-42186
OpenBao's Namespace Deletion May Not Delete Data Properly
Description
### Impact When OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. ### Patches This will be patched in OpenBao v2.5.3. ### Workarounds Users may manually remove mounts prior to deleting the namespace. Audit logs may be used to identify repeated deletion attempts against the same namespace; `sys/raw` can be used to see what leases were not correctly deleted.
How to fix CVE-2026-42186
To remediate CVE-2026-42186, upgrade the affected package to a fixed version below.
- —upgrade to 0.0.0-20260420173541-6d2e0506e2b4 or later
Is CVE-2026-42186 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.0.0-20260420173541-6d2e0506e2b4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |