{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33757", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.125Z", "datePublished": "2026-03-27T14:10:58.639Z", "dateUpdated": "2026-03-30T12:04:11.591Z"}, "containers": {"cna": {"title": "OpenBao lacks user confirmation for OIDC direct callback mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"}, {"name": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"}, {"name": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4", "tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:10:58.639Z"}, "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."}], "source": {"advisory": "GHSA-7q7g-x6vg-xpc3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T12:03:22.886283Z", "id": "CVE-2026-33757", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:04:11.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T12:03:22.886283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:04:08.100Z"}}], "cna": {"title": "OpenBao lacks user confirmation for OIDC direct callback mode", "source": {"advisory": "GHSA-7q7g-x6vg-xpc3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.5.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964", "name": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964", "tags": ["x_refsource_MISC"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4", "name": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:10:58.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33757", "state": "PUBLISHED", "dateUpdated": "2026-03-30T12:04:11.591Z", "dateReserved": "2026-03-23T18:30:14.125Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T14:10:58.639Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1489D2B-6994-46B2-8550-256B9EFCFD48", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."}], "id": "CVE-2026-33757", "lastModified": "2026-03-30T17:23:24.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T15:16:57.690", "references": [{"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenBao: lack of user confirmation for OpenBao OIDC direct callback mode", "id": "2452269", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452269"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-384", "details": ["A flaw was found in OpenBao. A missing prompt for user confirmation when logging in via the JWT/OIDC authentication method with a role configured to use `callback_mode=direct` allows an attacker to initiate an authentication request and perform a \"remote phishing\" attack by tricking an authenticated user into visiting a crafted URL, automatically logging the user into the session of the attacker."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, review JWT/OIDC authentication configurations and remove or disable any roles that have `callback_mode=direct`, or enforce a manual confirmation prompt for every session specifically for the Client ID used by OpenBao."}, "name": "CVE-2026-33757", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}], "public_date": "2026-03-27T14:10:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33757\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33757\nhttps://datatracker.ietf.org/doc/html/rfc8628#section-5.4\nhttps://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964\nhttps://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"], "statement": "To exploit this vulnerability, an attacker needs to convince a user to visit a crafted URL, limiting the exposure of this flaw. Due to this reason, this issue has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openbao", "source": "cna", "vendor": "openbao"}, "product": "openbao", "vendor": "openbao"}], "analysis": {"en": {"generated_at": "2026-03-27T15:55:11.839170+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenBao 2.5.2 or later", "Disable or remove any roles configured with callback_mode=direct", "If upgrading is not immediately possible, enforce confirmation on the identity provider for the Client ID used by OpenBao", "Review all role configurations for direct callback usage and eliminate them if not required", "Monitor authentication logs for unexpected or suspicious login attempts"], "summary": {"action": "Patch Immediately", "impact": "Remote phishing via silent OAuth login leading to unauthorized access"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the open source OpenBao secrets management platform, specifically versions prior to 2.5.2. The flaw is present whenever a role is configured with `callback_mode=direct`. Any instance that permits such roles without additional safeguards is vulnerable. The vulnerability does not appear to be vendor\u2011specific beyond OpenBao itself.", "description_and_impact": "The vulnerability in OpenBao's identity management system arises from the lack of a confirmation prompt when users authenticate via JWT/OIDC with the `direct` callback mode. This flaw allows an attacker to initiate an authentication request and trick the victim into visiting a crafted URL, causing the victim to automatically authenticate to the attacker\u2019s session. The attacker can then poll the API until an OpenBao token is issued, effectively bypassing manual user consent. The weakness corresponds to improper authentication and confirmation (CWE\u2011384).", "risk_and_exploitability": "The CVSS base score of 9.6 classifies this flaw as critical, and the absence of an EPSS score means no specific exploitation probability is published. The issue is not yet listed in the CISA KEV catalog, but the lack of a confirmation step creates a significant attack surface for remote phishing. An attacker who can place a victim on the malicious login link could obtain a valid token, gaining unauthorized access to secrets or other privileged data."}}}}, "created": "2026-03-27T20:28:42.009982+00:00", "updated": "2026-03-30T07:01:53.828239+00:00", "vendors": ["openbao", "openbao$PRODUCT$openbao"]}