pkg:Go/github.com/openbao/openbao

All known vulnerabilities

• CRITICAL9.6CVE-2026-33757OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao
  from 0, < 0.0.0-20260325142553-e32103951925
• CRITICAL9.6CVE-2026-33757OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao
  from 0, < 0.0.0-20260325142553-e32103951925
• CRITICAL9.1Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• CRITICAL9.1Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao
  from 0, < 0.0.0-20250806194004-a14053c9679d, >= 0.1.0
• HIGH7.5OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao
  from 0
• HIGH7.5OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao
  from 0, < 2.4.1
• HIGH7.5Vault Vulnerable to Denial of Service When Processing Raft Join Requests
  from 0, < 2.0.3
• HIGH7.5Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
  >= 0.1.0
• HIGH7.2OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• HIGH7.2OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
  from 0, < 0.0.0-20250806193240-9b0b5d4f345f, >= 0.1.0
• HIGH7.2Vault Operators in Root Namespace May Elevate Their Privileges
  from 0, < 2.0.3
• MEDIUM6.5OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• MEDIUM6.5OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao
  from 0, < 0.0.0-20250807212521-c52795c1ef74, >= 0.1.0
• MEDIUM6.5OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• MEDIUM6.5OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
  from 0, < 0.0.0-20250806193153-183891f8d535, >= 0.1.0
• MEDIUM5.7OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• MEDIUM5.7OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao
  from 0, < 0.0.0-20250807113757-8340a6918f6c, >= 0.1.0
• MEDIUM5.3OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
  from 0, < 2.5.4
• MEDIUM5.3OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• MEDIUM5.3OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
  from 0, < 0.0.0-20250807212521-c52795c1ef74, >= 0.1.0
• MEDIUM4.9OpenBao's SQL Injection in PostgreSQL database secrets engine
  from 0, < 0.0.0-20260420155735-b596b0882620
• LOW3.7OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
  >= 0.1.0, < 2.3.2
• LOW3.7OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
  from 0, < 0.0.0-20250806193356-4d9b5d3d6486, >= 0.1.0
• LOW3.1OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)
  from 0, < 0.0.0-20260420180337-2b2a901aa9f7
• LOW3.1OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate
  from 0, < 0.0.0-20260420160924-abe84e1af4c3
• —OpenBao's Inline Auth Incorrectly Redacted Headers
  from 0, < 2.5.4
• —OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL
  from 0, < 2.5.4
• —OpenBao's Namespace Deletion May Not Delete Data Properly
  from 0, < 0.0.0-20260420173541-6d2e0506e2b4
• —OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
  from 0, < 0.0.0-20260420162526-f58111d2ca54
• —OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao
  from 0, < 0.0.0-20260325133417-6e2b2dd84f0e
• —OpenBao has Reflected XSS in its OIDC authentication error message in github.com/openbao/openbao
  from 0, < 0.0.0-20260325133417-6e2b2dd84f0e
• —OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation in github.com/openbao/openbao
  from 0
• —OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation in github.com/openbao/openbao
  from 0, < 2.4.4
• —OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao
  from 0, < 0.0.0-20251022165510-cc2c476bac66
• —OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao
  from 0, < 0.0.0-20251022165510-cc2c476bac66
• —OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao
  >= 0.0.0-20241114205727-b1235e585db7, < 0.0.0-20251022165510-cc2c476bac66
• —OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao
  >= 0.0.0-20241114205727-b1235e585db7, < 0.0.0-20251022165510-cc2c476bac66
• —OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao
  from 0
• —OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao
  >= 0.1.0