Main Vulnerability Database Vulnerabilities #VU129537

Incomplete cleanup in OpenBao - CVE-2026-42186

Published: May 4, 2026

Vulnerability identifier: #VU129537

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-42186

CWE-ID: CWE-459

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenBao

Affected software:
OpenBao

Detailed vulnerability description

The vulnerability allows a remote user to modify data by causing incomplete namespace deletion.

The vulnerability exists due to improper deletion of data in namespace deletion handling when retrying namespace deletion after an initial deletion failure. A remote user can trigger repeated namespace deletion attempts to modify data by leaving leases or unrelated storage entries undeleted.

The issue occurs when the initial namespace deletion attempt fails and a subsequent retry marks the namespace as deleted before all data is removed.

How to mitigate CVE-2026-42186

Install security update from vendor's website.

Sources

https://github.com/openbao/openbao/security/advisories/GHSA-vv66-6rp4-wr4f

Incomplete cleanup in OpenBao - CVE-2026-42186

Detailed vulnerability description

How to mitigate CVE-2026-42186

Sources

Please verify you're human