What is GHSA-q8cj-789h-vg24?

GHSA-q8cj-789h-vg24 is a security advisory published by GitHub Security Advisories with Medium severity. OpenBao's Inline Auth Incorrectly Redacted Headers

Which CVE IDs does GHSA-q8cj-789h-vg24 cover?

GHSA-q8cj-789h-vg24 covers the following CVE IDs: CVE-2026-46358. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-q8cj-789h-vg24?

GHSA-q8cj-789h-vg24 affects 1 product, including: go/github.com/openbao/openbao:\u003c= 2.5.3.

GHSA-q8cj-789h-vg24Medium

OpenBao's Inline Auth Incorrectly Redacted Headers

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-46358 →

📋 Description

Impact

OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.

Patches

This is fixed in OpenBao v2.5.4.

Resources

https://github.com/openbao/openbao/issues/3074

🎯 Affected products1

go/github.com/openbao/openbao:<= 2.5.3

🔗 References (6)

https://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24
https://github.com/openbao/openbao/issues/3074
https://github.com/openbao/openbao/pull/3076
https://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df
https://github.com/openbao/openbao/releases/tag/v2.5.4
https://github.com/advisories/GHSA-q8cj-789h-vg24