CVE-2026-33758 Overview
OpenBao is an open source identity-based secrets management system. A critical Cross-Site Scripting (XSS) vulnerability has been identified in OpenBao installations that have an OIDC/JWT authentication method enabled with a role configured to use callback_mode=direct. The vulnerability exists in the error_description parameter on the authentication failure page, allowing attackers to inject malicious scripts that can steal authentication tokens used in the Web UI.
Critical Impact
This XSS vulnerability enables attackers to steal authentication tokens from victims using the OpenBao Web UI, potentially granting unauthorized access to sensitive secrets and credentials stored within the system.
Affected Products
- OpenBao versions prior to 2.5.2
- OpenBao installations with OIDC/JWT authentication method enabled
- Configurations with roles using callback_mode=direct
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33758 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33758
Vulnerability Analysis
This vulnerability is a reflected Cross-Site Scripting (XSS) flaw that affects the OIDC/JWT authentication flow in OpenBao. When authentication fails, the application displays an error page that incorporates the error_description parameter directly into the HTML response without proper sanitization. This allows an attacker to craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser session.
The attack is particularly dangerous because it targets the authentication system, giving attackers direct access to session tokens and authentication credentials. Since OpenBao is a secrets management system, compromising these tokens could lead to exposure of stored secrets, API keys, database credentials, and other sensitive information managed by the platform.
Root Cause
The root cause is improper input validation (CWE-20) of the error_description parameter in the JWT authentication credential handler. The parameter was being rendered directly into the HTML response without proper encoding or sanitization, allowing arbitrary HTML and JavaScript injection.
Attack Vector
The attack requires user interaction where an attacker must convince a victim to click a malicious link. The attacker crafts a URL targeting the OpenBao authentication endpoint with a malicious error_description parameter containing JavaScript code. When the victim clicks the link and the authentication fails, the malicious script executes in the victim's browser, allowing the attacker to exfiltrate session tokens or perform actions on behalf of the victim.
// Security patch in builtin/credential/jwt/html_responses.go
// Source: https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662
package jwtauth
-import "fmt"
+import (
+ "encoding/json"
+ "fmt"
+ "html"
+)
const successHTML = `
<!DOCTYPE html>
Source: GitHub Commit Update
The patch introduces the html package for proper escaping and the encoding/json package for safe handling of error descriptions. The fix replaces the dynamic error_description parameter with a static error message, eliminating the XSS vector entirely.
Detection Methods for CVE-2026-33758
Indicators of Compromise
- Unusual HTTP requests to OIDC/JWT authentication endpoints containing <script> tags or JavaScript event handlers in the error_description parameter
- Authentication error pages being accessed with abnormally long or encoded URL parameters
- Reports of unexpected JavaScript execution or browser behavior during OpenBao authentication failures
Detection Strategies
- Monitor web application logs for requests containing XSS payloads in the error_description parameter
- Implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in authentication-related endpoints
- Review access logs for unusual patterns of authentication failures combined with suspicious parameter values
- Enable Content Security Policy (CSP) headers to detect and report inline script execution attempts
Monitoring Recommendations
- Configure alerting for authentication endpoint requests containing HTML or JavaScript special characters
- Monitor for session token exfiltration attempts by tracking unusual outbound connections following authentication failures
- Implement browser-side monitoring for unexpected script execution in the OpenBao Web UI
- Regularly audit OIDC/JWT role configurations to identify roles using callback_mode=direct
How to Mitigate CVE-2026-33758
Immediate Actions Required
- Upgrade OpenBao to version 2.5.2 or later immediately
- Audit all OIDC/JWT authentication method configurations to identify roles with callback_mode=direct
- Review access logs for any signs of exploitation attempts
- Consider rotating any credentials or tokens that may have been exposed
Patch Information
OpenBao has released version 2.5.2 which addresses this vulnerability by replacing the dynamic error_description parameter with a static error message. The fix was implemented in Pull Request #2709 and is available in the v2.5.2 release. Full details are available in the GitHub Security Advisory GHSA-cpj3-3r2f-xj59.
Workarounds
- Remove any roles with callback_mode set to direct until the patch can be applied
- Implement strict Content Security Policy headers to mitigate XSS impact
- Use a Web Application Firewall to filter malicious requests to authentication endpoints
- Restrict access to the OpenBao Web UI to trusted networks only
# Configuration example - Remove direct callback mode from OIDC roles
# List all roles to identify those with callback_mode=direct
bao list auth/oidc/role
# Read role configuration to check callback_mode
bao read auth/oidc/role/<role_name>
# Update role to remove direct callback mode (use default instead)
bao write auth/oidc/role/<role_name> callback_mode="client"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
