GHSA-c36x-h252-g9x2Low

OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

OpenBao users with access to the sys/leases/revoke/:lease_id endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations.

Impact

OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant.

Patch

This will be fixed in OpenBao v2.5.5.

References

This vulnerability is similar to but distinct from:

  • CVE-2026-45808 / GHSA-v8v8-cm84-m686
  • CVE-2026-40264 / GHSA-p49j-v9wc-wg57

🎯 Affected products2

  • go/github.com/openbao/openbao:>= 0.1.0, <= 2.5.4
  • go/github.com/openbao/openbao:< 0.0.0-20260617103932-b20b999dd404

🔗 References (5)