CVE-2026-33757

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.2

Description OpenBao, an open source identity-based secrets management system, does not prompt for user confirmation when logging in via JWT/OIDC with a role configured with callback mode set to direct. This allows an attacker to initiate an authentication request and perform a "remote phishing" attack, automatically logging a victim into the attacker's session upon visiting a crafted URL. The direct mode allows an attacker to repeatedly query the API for an OpenBao token until one is issued.

Recommendations Versions prior to 2.5.2: Upgrade to version 2.5.2 or later, which includes an additional confirmation screen for direct type logins requiring manual user interaction. Versions prior to 2.5.2: Remove any roles with callback mode set to direct. Versions prior to 2.5.2: Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao.