OpenBao Vulnerabilities Allow Security Bypass and XSS Attacks
Summary
CERT-Bund has issued a security advisory for OpenBao, detailing critical vulnerabilities (CVSS Base Score 9.6) that allow remote attackers to bypass security measures or perform XSS attacks. The advisory affects Open Source OpenBao versions prior to 2.5.2 running on Linux and UNIX.
What changed
This advisory from CERT-Bund details critical vulnerabilities in OpenBao, an open-source secrets management solution. The vulnerabilities, rated with a CVSS Base Score of 9.6, allow remote, anonymous attackers to bypass security controls or execute cross-site scripting (XSS) attacks. The advisory specifically impacts Open Source OpenBao versions prior to 2.5.2 and affects systems running on Linux and UNIX operating systems.
Organizations utilizing OpenBao should immediately review their installed versions and apply available mitigations. The advisory indicates that versions prior to 2.5.2 are affected, implying that an upgrade to version 2.5.2 or later is necessary to remediate these risks. Failure to address these vulnerabilities could lead to unauthorized access to sensitive data, compromise of system integrity, and potential data breaches.
What to do next
- Review OpenBao version for applicability (prior to 2.5.2).
- Apply available mitigations or upgrade to OpenBao version 2.5.2 or later.
- Assess potential impact of security bypass and XSS vulnerabilities on sensitive data.
Source document (simplified)
[WID-SEC-2026-0864] OpenBao: Mehrere Schwachstellen CVSS Base Score 9.6 (kritisch) CVSS Temporal Score 8.3 (hoch) Remoteangriff ja Datum 25.03.2026 Stand 26.03.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Linux
- UNIX
Produktbeschreibung
OpenBao ist eine Open-Source-Lösung für Secrets Management, die sensible Daten wie Passwörter, API-Schlüssel und Zertifikate sicher speichert und verwaltet.
Produkte
25.03.2026
- Open Source OpenBao <2.5.2
Angriff
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenBao ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Cross Site Scripting Angriff durchzuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.