CVE-2026-39388: Authentication Bypass in OpenBao Certificate Token Renewal
Vulnerability ID: CVE-2026-39388
CVSS Score: 2.0
Published: 2026-04-21
OpenBao versions prior to 2.5.3 contain an authentication bypass vulnerability within the Certificate Authentication (auth/cert) method. A flaw in the token renewal logic allows an attacker possessing a valid token and any certificate signed by the same Certificate Authority to improperly renew the token, circumventing intended identity boundaries.
TL;DR
A logical error in OpenBao's auth/cert backend allows attackers with a valid token and a same-CA certificate to bypass identity checks and renew tokens they do not own, extending unauthorized access.
Technical Details
- CWE ID: CWE-287
- Attack Vector: Network
- CVSS 4.0: 2.0 (Low)
- EPSS Score: 0.00032
- Impact: Unauthorized Token Lifetime Extension
- Exploit Status: none
- CISA KEV: No
Affected Systems
- OpenBao auth/cert backend
-
OpenBao: < 2.5.3 (Fixed in:
2.5.3)
Code Analysis
Commit: 9ab7a06
Fix identity binding in auth/cert backend during renewal.
Mitigation Strategies
- Upgrade OpenBao to a patched version (v2.5.3+).
- Avoid configuring roles with
disable_binding=true. - Enforce strict allowed_common_names or allowed_dns_sans on sensitive roles.
- Regularly audit active tokens using lookup-accessor endpoints.
Remediation Steps:
- Identify the current version of OpenBao running in the environment.
- Review the configuration of all
auth/certroles to identify usage ofdisable_binding=true. - Download the OpenBao v2.5.3 binary from the official repository.
- Perform a rolling restart of the OpenBao cluster nodes with the updated binary.
- Force re-authentication for clients utilizing the
auth/certbackend to ensure all active tokens contain the new base64 encoded certificate metadata.
References
Read the full report for CVE-2026-39388 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)