Main Vulnerability Database Vulnerabilities #VU126699

Improper Authentication in OpenBao - CVE-2026-39388

Published: April 21, 2026

Vulnerability identifier: #VU126699

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39388

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenBao

Affected software:
OpenBao

Detailed vulnerability description

The vulnerability allows a remote user to modify token renewal behavior and extend the lifetime of dynamic leases.

The vulnerability exists due to improper certificate binding validation in the certificate authentication method when processing token renewal requests with disable_binding=true. A remote privileged user can present a sibling certificate and key signed by the same CA to modify token renewal behavior and extend the lifetime of dynamic leases.

Exploitation requires knowledge of the original token or its accessor.

How to mitigate CVE-2026-39388

Install security update from vendor's website.

Sources

https://github.com/openbao/openbao/security/advisories/GHSA-7ccv-rp6m-rffr

Improper Authentication in OpenBao - CVE-2026-39388

Detailed vulnerability description

How to mitigate CVE-2026-39388

Sources

Please verify you're human