CVE-2026-39946: SQL Injection in OpenBao PostgreSQL Secrets Engine via Unquoted Schema Identifiers
Vulnerability ID: CVE-2026-39946
CVSS Score: 4.6
Published: 2026-04-21
OpenBao versions prior to 2.5.3 contain an SQL injection vulnerability in the PostgreSQL database secrets engine. The system fails to quote schema identifiers during dynamic role revocation, allowing a high-privileged attacker to execute arbitrary SQL commands via crafted schema names.
TL;DR
Unquoted schema identifiers in OpenBao's PostgreSQL secrets engine allow SQL injection during role revocation. Attackers with schema creation privileges can execute arbitrary SQL as the management user. Fixed in OpenBao v2.5.3.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89
- Attack Vector: Network
- CVSS Score: 4.6 (Medium)
- EPSS Score: 0.00028
- Exploit Status: None/PoC
- KEV Status: Not Listed
Affected Systems
- OpenBao PostgreSQL Database Secrets Engine
-
OpenBao: < 2.5.3 (Fixed in:
v2.5.3)
Code Analysis
Commit: 80693a4
Fix SQL injection in PostgreSQL database secrets engine via unquoted schema identifiers
Mitigation Strategies
- Audit existing PostgreSQL schemas for anomalous names containing quotes or semicolons
- Restrict standard user permissions to prevent arbitrary schema creation
- Enforce least privilege for the OpenBao management user
Remediation Steps:
- Verify the currently installed OpenBao version
- Plan a maintenance window for the upgrade process
- Upgrade OpenBao to v2.5.3 or later
- Validate PostgreSQL secrets engine functionality post-upgrade
References
Read the full report for CVE-2026-39946 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)