OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for direct type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with callback_mode=direct or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
CVE-2026-33757
This high-severity CVE scores 8.3 under NVD CVSS v3. EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.3
- EG Score
- 8.3(low)
- EPSS
- 33.1%
- KEV
- Not listed
Published
March 27, 2026
Last Modified
June 30, 2026
Advisory Details (6)
Auto-updated Jun 30, 20262452269 – (CVE-2026-33757) CVE-2026-33757 OpenBao: lack of user confirmation for OpenBao OIDC direct callback mode
https://bugzilla.redhat.com/show_bug.cgi?id=2452269Lack of user confirmation for OpenBao OIDC direct callback mode · Advisory · openbao/openbao · GitHub
https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3commit e32103951925 (openbao/openbao)
Fix landed in openbao/openbao commit e32103951925 — awaiting tagged release
https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964RFC 8628 - OAuth 2.0 Device Authorization Grant
https://datatracker.ietf.org/doc/html/rfc8628#section-5.4Frequently asked(5)
What is CVE-2026-33757?
When was CVE-2026-33757 disclosed?
Is CVE-2026-33757 actively exploited?
What is the CVSS score of CVE-2026-33757?
How do I remediate CVE-2026-33757?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-33757
Is Your Infrastructure Affected by CVE-2026-33757?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.