CVE-2026-46358 — OpenBao's Inline Auth Incorrectly Redacted Headers

Description

### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate. ### Patches This is fixed in OpenBao v2.5.4. ### Resources https://github.com/openbao/openbao/issues/3074

How to fix CVE-2026-46358

To remediate CVE-2026-46358, upgrade the affected package to a fixed version below.

Go/github.com/openbao/openbao—upgrade to 2.5.4 or later

Is CVE-2026-46358 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46358.

Affected packages (1)

from 0, < 2.5.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (6)

PATCHgithub.com/openbao/openbao
WEBgithub.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df
WEBgithub.com/openbao/openbao/issues/3074
WEBgithub.com/openbao/openbao/pull/3076
WEB