What is GHSA-7j6w-vvw2-5f9c?

GHSA-7j6w-vvw2-5f9c is a security advisory published by GitHub Security Advisories with Medium severity. OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Which CVE IDs does GHSA-7j6w-vvw2-5f9c cover?

GHSA-7j6w-vvw2-5f9c covers the following CVE IDs: CVE-2026-46405. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-7j6w-vvw2-5f9c?

GHSA-7j6w-vvw2-5f9c has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

Which products are affected by GHSA-7j6w-vvw2-5f9c?

GHSA-7j6w-vvw2-5f9c affects 1 product, including: go/github.com/openbao/openbao:\u003c= 2.5.3.

GHSA-7j6w-vvw2-5f9cMediumCVSS 5.3

OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-46405 →

📋 Description

Impact

In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of sys/raw. At most this could cause storage usage.

Patches

This is fixed in OpenBao v2.5.4.

Workarounds

Users may set a rate limit quota to limit the creation of these paths. As the path is unauthenticated, it isn't possible to deny access to it.

OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

🔗 CVE IDs covered (1)

📋 Description

Impact

Patches

Workarounds

Reporter

🎯 Affected products1

🔗 References (5)