CVE-2026-40264: Cross-Namespace Boundary Bypass via Token Accessor in OpenBao
Vulnerability ID: CVE-2026-40264
CVSS Score: 2.0
Published: 2026-04-21
OpenBao versions prior to 2.5.3 contain an improper namespace context switching vulnerability. An authenticated attacker with administrative privileges in one namespace can perform renewal or revocation operations on token accessors belonging to different namespaces, effectively bypassing multi-tenant isolation boundaries.
TL;DR
A flaw in OpenBao's lookupByAccessor function allows tenant administrators to renew or revoke token accessors across namespace boundaries, breaking multi-tenant isolation.
Technical Details
- CWE ID: CWE-1259
- Attack Vector: Network
- CVSS 4.0 Score: 2.0 (Low)
- EPSS Percentile: 10.53%
- Impact: Denial of Service (Token Revocation)
- Exploit Status: Unexploited
- Privileges Required: High (Administrator)
Affected Systems
- OpenBao
-
OpenBao: < 2.5.3 (Fixed in:
2.5.3)
Code Analysis
Commit: 059cc59
Fix cross-namespace token accessor lookup vulnerability
Mitigation Strategies
- Upgrade OpenBao to version 2.5.3 or later
- Monitor audit logs for cross-namespace accessor operations
- Secure application logs and audit trails to prevent token accessor leakage
Remediation Steps:
- Download the OpenBao v2.5.3 binary or relevant container image.
- Perform a standard rolling upgrade of the OpenBao cluster members.
- Verify the upgrade by querying the
/sys/healthendpoint. - Review logging infrastructure to ensure token accessors are not broadly accessible.
References
Read the full report for CVE-2026-40264 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)