EXECUTIVE SUMMARY:
CVE-2026-45808 with a CVSS score of 7.1 is a privilege‑escalation flaw in OpenBao’s namespace isolation that lets a malicious tenant revoke or renew credentials belonging to another tenant by abusing the legacy, undocumented sys/revoke and sys/renew endpoints; the vulnerability affects OpenBao releases up to and including version 2.5.3. Technically, OpenBao’s namespaces are intended to keep lease identifiers and associated secrets separate per tenant, but the old sys/revoke API does not enforce namespace boundaries, so a lease ID leaked by one tenant can be presented by an attacker in a different namespace to trigger revocation or renewal of the original lease. An adversary needs only valid authentication within any tenant and knowledge of a leaked lease ID to send an HTTP POST to the sys/revoke or sys/renew endpoint, which is reachable without additional network restrictions. Successful exploitation grants the attacker the ability to disrupt authentication flows, force credential rotation, or cause denial‑of‑service for services relying on the compromised lease, leading to service outages, loss of data integrity, and increased operational overhead. Exploitation requires that a lease ID be exposed—through logging, misconfiguration, or intentional leakage—making the attack feasible in multi‑tenant deployments sharing a single OpenBao instance.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45808 with a CVSS score of 7.1 is a privilege‑escalation flaw in OpenBao’s namespace isolation that lets a malicious tenant revoke or renew credentials belonging to another tenant by abusing the legacy, undocumented sys/revoke and sys/renew endpoints; the vulnerability affects OpenBao releases up to and including version 2.5.3. Technically, OpenBao’s namespaces are intended to keep lease identifiers and associated secrets separate per tenant, but the old sys/revoke API does not enforce namespace boundaries, so a lease ID leaked by one tenant can be presented by an attacker in a different namespace to trigger revocation or renewal of the original lease. An adversary needs only valid authentication within any tenant and knowledge of a leaked lease ID to send an HTTP POST to the sys/revoke or sys/renew endpoint, which is reachable without additional network restrictions. Successful exploitation grants the attacker the ability to disrupt authentication flows, force credential rotation, or cause denial‑of‑service for services relying on the compromised lease, leading to service outages, loss of data integrity, and increased operational overhead. Exploitation requires that a lease ID be exposed—through logging, misconfiguration, or intentional leakage—making the attack feasible in multi‑tenant deployments sharing a single OpenBao instance.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-v8v8-cm84-m686