CVE-2026-33758

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.2

Description OpenBao, an open source identity-based secrets management system, is susceptible to Reflected Cross-Site Scripting (XSS) through the error description parameter during failed authentication attempts when an OIDC/JWT authentication method is enabled and a role is configured with callback mode=direct. This allows an attacker to gain access to the token used in the Web UI by a victim. The issue is addressed by replacing the error description parameter with a static error message. The API endpoint involved in the vulnerability is not explicitly mentioned. The vulnerable parameter is error description.

Recommendations Versions prior to 2.5.2 should be updated to version 2.5.2 or later. As a mitigation, remove any roles with callback mode set to direct.