Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33758

created 3 weeks, 1 day ago

OpenBao has Reflected XSS in its OIDC authentication error message

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a victim. The `error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.

References

https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59 x_refsource_CONFIRM
https://github.com/openbao/openbao/pull/2709 x_refsource_MISC
https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662 x_refsource_MISC
https://github.com/openbao/openbao/releases/tag/v2.5.2 x_refsource_MISC

Affected products

openbao

==< 2.5.2

Matching in nixpkgs

pkgs.openbao

Open source, community-driven fork of Vault managed by the Linux Foundation

nixos-unstable 2.5.1
- nixpkgs-unstable 2.5.1
- nixos-unstable-small 2.5.2
nixos-25.11 2.4.4
- nixos-25.11-small 2.5.2
- nixpkgs-25.11-darwin 2.4.4

Package maintainers

@brianmay Brian May <brian@linuxpenguins.xyz>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openbao

Package maintainers