Main Vulnerability Database Vulnerabilities #VU126701

Allocation of Resources Without Limits or Throttling in OpenBao - CVE-2026-39396

Published: April 21, 2026

Vulnerability identifier: #VU126701

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39396

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenBao

Affected software:
OpenBao

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in ExtractPluginFromImage() in the OCI plugin downloader when extracting a plugin binary from a container image. A remote attacker can serve a crafted OCI image containing a decompression bomb to cause a denial of service.

User interaction is required to trigger plugin loading, such as starting OpenBao or reloading its configuration, and instances with automatic plugin download enabled can be repeatedly affected on restart or reload.

How to mitigate CVE-2026-39396

Install security update from vendor's website.

Sources

https://github.com/openbao/openbao/security/advisories/GHSA-r65v-xgwc-g56j

Allocation of Resources Without Limits or Throttling in OpenBao - CVE-2026-39396

Detailed vulnerability description

How to mitigate CVE-2026-39396

Sources

Please verify you're human