CVE-2026-42186

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3

Description An issue exists in the identity-based secrets management system where an initial failure during namespace deletion causes subsequent retries to fail to remove all data before the namespace is marked as deleted. This may result in outstanding leases remaining active or unrelated storage entries being left behind.

Recommendations Update to version 2.5.3. Manually remove mounts prior to deleting the namespace. Use audit logs to identify repeated deletion attempts against the same namespace and utilize sys/raw to identify leases that were not correctly deleted.