CVE-2026-33757

HIGHNVD 8.38.3
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.3 under NVD CVSS v3. EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: nvd
8.3
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for direct type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with callback_mode=direct or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

CVSS v3
8.3
EG Score
8.3(low)
EPSS
33.1%
KEV
Not listed

Published

March 27, 2026

Last Modified

June 30, 2026

Advisory Details (6)

Auto-updated Jun 30, 2026
Patch available. Sources: github, redhat, github_commit.
redhat Patch Available

2452269 – (CVE-2026-33757) CVE-2026-33757 OpenBao: lack of user confirmation for OpenBao OIDC direct callback mode

https://bugzilla.redhat.com/show_bug.cgi?id=2452269
redhat Patch Available

cve-details

https://access.redhat.com/security/cve/CVE-2026-33757
github Patch Available

Lack of user confirmation for OpenBao OIDC direct callback mode · Advisory · openbao/openbao · GitHub

https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3
github_commit

commit e32103951925 (openbao/openbao)

Fix landed in openbao/openbao commit e32103951925 — awaiting tagged release

https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964
generic

RFC 8628 - OAuth 2.0 Device Authorization Grant

https://datatracker.ietf.org/doc/html/rfc8628#section-5.4

Frequently asked(5)

What is CVE-2026-33757?
CVE-2026-33757 is a high vulnerability published on March 27, 2026. OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing"…
When was CVE-2026-33757 disclosed?
CVE-2026-33757 was first published in the National Vulnerability Database on March 27, 2026, with the most recent update on June 30, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-33757 actively exploited?
CVE-2026-33757 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 33.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-33757?
CVE-2026-33757 has a CVSS v3 base score of 8.3 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-33757?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-33757, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-33757

Explore →

Is Your Infrastructure Affected by CVE-2026-33757?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.