CVE-2026-46405
OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
Description
### Impact In OpenBao's Kerberos auth method on the `GET` handler, or when an `Authorization: Negotiate` header is supplied, the response is includes a `logical.Auth` object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of `sys/raw`. At most this could cause storage usage. ### Patches This is fixed in OpenBao v2.5.4. ### Workarounds Users may set a rate limit quota to limit the creation of these paths. As the path is unauthenticated, it isn't possible to deny access to it. ### Reporter This was discovered by an anonymous reporter.
How to fix CVE-2026-46405
To remediate CVE-2026-46405, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.4 or later
Is CVE-2026-46405 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46405.
Affected packages (1)
- from 0, < 2.5.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |