pkg:Go/github.com/openbao/openbao

39 total CVEsCRITICAL4HIGH7MEDIUM10LOW4

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.6CVE-2026-33757OpenBao lacks user confirmation for OIDC direct callback mode
    from 0, < 0.0.0-20260325142553-e32103951925
  • CRITICAL9.6CVE-2026-33757OpenBao lacks user confirmation for OIDC direct callback mode
    from 0, < 0.0.0-20260325142553-e32103951925
  • CRITICAL9.1CVE-2025-54997Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • CRITICAL9.1CVE-2025-54997Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao
    from 0, < 0.0.0-20250806194004-a14053c9679d, >= 0.1.0
  • HIGH7.5CVE-2025-59043OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao
    from 0
  • HIGH7.5CVE-2025-59043OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao
    from 0, < 2.4.1
  • HIGH7.5CVE-2024-8185Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault
    from 0, < 2.0.3
  • HIGH7.5CVE-2024-7594Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
    >= 0.1.0
  • HIGH7.2CVE-2025-54996OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • HIGH7.2CVE-2025-54996OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
    from 0, < 0.0.0-20250806193240-9b0b5d4f345f, >= 0.1.0
  • HIGH7.2CVE-2024-9180Vault Operators in Root Namespace May Elevate Their Privileges
    from 0, < 2.0.3
  • MEDIUM6.5CVE-2025-55001OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • MEDIUM6.5CVE-2025-55001OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao
    from 0, < 0.0.0-20250807212521-c52795c1ef74, >= 0.1.0
  • MEDIUM6.5CVE-2025-55000OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • MEDIUM6.5CVE-2025-55000OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
    from 0, < 0.0.0-20250806193153-183891f8d535, >= 0.1.0
  • MEDIUM5.7CVE-2025-55003OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • MEDIUM5.7CVE-2025-55003OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao
    from 0, < 0.0.0-20250807113757-8340a6918f6c, >= 0.1.0
  • MEDIUM5.3CVE-2026-46405OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
    from 0, < 2.5.4
  • MEDIUM5.3CVE-2025-54998OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • MEDIUM5.3CVE-2025-54998OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
    from 0, < 0.0.0-20250807212521-c52795c1ef74, >= 0.1.0
  • MEDIUM4.9CVE-2026-39946OpenBao's SQL Injection in PostgreSQL database secrets engine
    from 0, < 0.0.0-20260420155735-b596b0882620
  • LOW3.7CVE-2025-54999OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
    >= 0.1.0, < 2.3.2
  • LOW3.7CVE-2025-54999OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
    from 0, < 0.0.0-20250806193356-4d9b5d3d6486, >= 0.1.0
  • LOW3.1CVE-2026-39396OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)
    from 0, < 0.0.0-20260420180337-2b2a901aa9f7
  • LOW3.1CVE-2026-39388OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate
    from 0, < 0.0.0-20260420160924-abe84e1af4c3
  • CVE-2026-46358OpenBao's Inline Auth Incorrectly Redacted Headers
    from 0, < 2.5.4
  • CVE-2026-45808OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL
    from 0, < 2.5.4
  • CVE-2026-42186OpenBao's Namespace Deletion May Not Delete Data Properly
    from 0, < 0.0.0-20260420173541-6d2e0506e2b4
  • CVE-2026-40264OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
    from 0, < 0.0.0-20260420162526-f58111d2ca54
  • CVE-2026-33758OpenBao has Reflected XSS in its OIDC authentication error message
    from 0, < 0.0.0-20260325133417-6e2b2dd84f0e
  • CVE-2026-33758OpenBao has Reflected XSS in its OIDC authentication error message
    from 0, < 0.0.0-20260325133417-6e2b2dd84f0e
  • CVE-2025-64761OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
    from 0
  • CVE-2025-64761OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
    from 0, < 2.4.4
  • CVE-2025-62705OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao
    from 0, < 0.0.0-20251022165510-cc2c476bac66
  • CVE-2025-62705OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao
    from 0, < 0.0.0-20251022165510-cc2c476bac66
  • CVE-2025-62513OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao
    >= 0.0.0-20241114205727-b1235e585db7, < 0.0.0-20251022165510-cc2c476bac66
  • CVE-2025-62513OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao
    >= 0.0.0-20241114205727-b1235e585db7, < 0.0.0-20251022165510-cc2c476bac66
  • CVE-2025-52894OpenBao allows cancellation of root rekey and recovery rekey operations without authentication
    from 0
  • CVE-2025-52894OpenBao allows cancellation of root rekey and recovery rekey operations without authentication
    >= 0.1.0