CVE-2026-39388

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3

Description The Certificate authentication method contains a flaw during token renewal when disable binding=true is configured. The system incorrectly verifies if the mTLS certificate presented during a renewal request matches the original. This allows an attacker with a sibling certificate and key signed by the same Certificate Authority (CA) to renew tokens, even if they do not match the original role or certificate. While the attacker must possess the original token or its accessor, this could allow them to extend the lifetime of dynamic leases. This issue originated from HashiCorp Vault.

Recommendations Update to version 2.5.3. As a temporary workaround, ensure privileged roles are tightly scoped to single certificates.