SB2026042177 - Fedora 42 update for openbao

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042177

SB2026042177 - Fedora 42 update for openbao

Published: April 21, 2026

Security Bulletin ID SB2026042177
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2026-34986)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in JWE decryption in key_wrap.go when processing a JWE object with a key wrapping algorithm and an empty encrypted_key field. A remote attacker can send a specially crafted JWE object to cause a denial of service.

The issue is reachable through ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact() followed by Decrypt(), and applications are affected only if accepted key algorithms include key wrapping algorithms.


2) Improper Authentication (CVE-ID: CVE-2026-39388)

The vulnerability allows a remote user to modify token renewal behavior and extend the lifetime of dynamic leases.

The vulnerability exists due to improper certificate binding validation in the certificate authentication method when processing token renewal requests with disable_binding=true. A remote privileged user can present a sibling certificate and key signed by the same CA to modify token renewal behavior and extend the lifetime of dynamic leases.

Exploitation requires knowledge of the original token or its accessor.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-39396)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in ExtractPluginFromImage() in the OCI plugin downloader when extracting a plugin binary from a container image. A remote attacker can serve a crafted OCI image containing a decompression bomb to cause a denial of service.

User interaction is required to trigger plugin loading, such as starting OpenBao or reloading its configuration, and instances with automatic plugin download enabled can be repeatedly affected on restart or reload.


4) Improper access control (CVE-ID: CVE-2026-40264)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper access control in the token store when handling token renewal or revocation across namespaces. A remote privileged user can renew or revoke a token from another namespace to cause a denial of service.

Exploitation requires a leaked token accessor and affects cross-namespace tenant isolation.


Remediation

Install update from vendor's website.

References