{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33758", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.125Z", "datePublished": "2026-03-27T14:12:33.941Z", "dateUpdated": "2026-03-27T19:58:18.047Z"}, "containers": {"cna": {"title": "OpenBao has Reflected XSS in its OIDC authentication error message", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"}, {"name": "https://github.com/openbao/openbao/pull/2709", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/pull/2709"}, {"name": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662"}, {"name": "https://github.com/openbao/openbao/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/releases/tag/v2.5.2"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:12:33.941Z"}, "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`."}], "source": {"advisory": "GHSA-cpj3-3r2f-xj59", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:55:28.333530Z", "id": "CVE-2026-33758", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:58:18.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33758", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T18:55:28.333530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:55:40.953Z"}}], "cna": {"title": "OpenBao has Reflected XSS in its OIDC authentication error message", "source": {"advisory": "GHSA-cpj3-3r2f-xj59", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.5.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/pull/2709", "name": "https://github.com/openbao/openbao/pull/2709", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662", "name": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openbao/openbao/releases/tag/v2.5.2", "name": "https://github.com/openbao/openbao/releases/tag/v2.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:12:33.941Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33758", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:58:18.047Z", "dateReserved": "2026-03-23T18:30:14.125Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T14:12:33.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1489D2B-6994-46B2-8550-256B9EFCFD48", "versionEndExcluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`."}], "id": "CVE-2026-33758", "lastModified": "2026-03-30T17:21:54.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:57.863", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/openbao/openbao/pull/2709"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openbao/openbao/releases/tag/v2.5.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenBao: reflected XSS in OpenBao OIDC authentication error message", "id": "2452294", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452294"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in OpenBao. Installations that have an OIDC/JWT authentication method enabled with a role configured to use `callback_mode=direct` are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker to access the token used by an authenticated user in the Web UI."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, review JWT/OIDC authentication configurations and remove or disable any roles that have `callback_mode=direct`."}, "name": "CVE-2026-33758", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}], "public_date": "2026-03-27T14:12:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33758\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33758\nhttps://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662\nhttps://github.com/openbao/openbao/pull/2709\nhttps://github.com/openbao/openbao/releases/tag/v2.5.2\nhttps://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"], "statement": "To exploit this vulnerability, an attacker needs to convince a user to visit a crafted URL, limiting the exposure of this flaw. Due to this reason, this issue has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openbao", "source": "cna", "vendor": "openbao"}, "product": "openbao", "vendor": "openbao"}], "analysis": {"en": {"generated_at": "2026-03-27T15:54:41.619398+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenBao v2.5.2 or later, which replaces the error_description parameter with a static message.", "If an upgrade is not immediately possible, delete or modify all roles that use callback_mode=direct so that only redirect mode is employed.", "Verify configuration changes by reviewing the list of roles to ensure no direct callback roles remain.", "Consider disabling the OIDC/JWT authentication method temporarily if the application can function without it.", "Monitor authentication logs for unusual failure patterns or error messages that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting via a reflected parameter that can expose an authenticated user\u2019s token"}, "threat_synthesis": {"affected_systems": "All OpenBao installations running a version older than 2.5.2 that have one or more roles with callback_mode set to direct and an OIDC/JWT authentication method enabled. The vendor is openbao, product OpenBao, released before the 2.5.2 patch that replaced the dynamic error_message with a static one.", "description_and_impact": "OpenBao systems with OIDC/JWT authentication enabled and roles configured for direct callback are vulnerable to a reflected XSS flaw in the error_description field displayed after a failed authentication. An attacker can inject script into this parameter, which is executed in the victim\u2019s browser, allowing the attacker to steal the bearer token used by the web interface and potentially hijack the victim\u2019s session. The symptom is a page displaying a custom error message that includes unescaped malicious JavaScript, enabling arbitrary client\u2011side code execution.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.4, classifying it as critical, and is not currently listed in the CISA KEV catalog. Because the flaw is triggered by a crafted request to the unauthenticated authentication error page, exploitation requires an attacker to drive the user\u2019s browser to a maliciously constructed authentication flow; the vulnerability is readily exploitable if an open\u2011to\u2011world interface is exposed and the user is an authentic OpenBao session. The risk remains high until the product is upgraded or the vulnerable roles are removed."}}}}, "created": "2026-03-27T20:28:40.126466+00:00", "updated": "2026-03-30T07:01:51.968122+00:00", "vendors": ["openbao", "openbao$PRODUCT$openbao"]}