OpenBao has Reflected XSS in its OIDC authentication error message

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.

Affected Products

Vendor	Product	Versions
openbao	OpenBao	< 2.5.2

References

https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59(x_refsource_CONFIRM)
https://github.com/openbao/openbao/pull/2709(x_refsource_MISC)
https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662(x_refsource_MISC)
https://github.com/openbao/openbao/releases/tag/v2.5.2(x_refsource_MISC)

Related News (2 articles)

Tier C

VulDB5h ago

CVE-2026-33758 | OpenBao up to 2.5.1 OIDC/JWT callback_mode error_description cross site scripting

→ No new info (linked only)

Tier B

BSI Advisories1d ago

[NEU] [hoch] OpenBao: Mehrere Schwachstellen

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-20, CWE-79, CWE-116

Published3/27/2026

Last enriched4h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated product name to OpenBao, changed severity to HIGH, marked as actively exploited, and noted that patch version 2.5.2 is available.

productseverityactivelyExploitedpatchAvailable

via VulDB

v15h ago

Initial creation

Description

Vendor

Product

Versions

openbao

OpenBao

< 2.5.2