CVE-2026-39946: Openbao PostgreSQL SQLI Vulnerability

CVE-2026-39946 Overview

CVE-2026-39946 affects OpenBao, an open source identity-based secrets management system forked from HashiCorp Vault. The vulnerability resides in the PostgreSQL database secrets engine, where OpenBao fails to apply proper database quoting on schema names returned by PostgreSQL during role privilege revocation. The flaw can cause role revocation failures and, in less common scenarios, enable SQL injection executed under the management user context. The issue is classified as improper neutralization of special elements used in an SQL command [CWE-89]. OpenBao addressed the vulnerability in version 2.5.3. The same root cause was inherited from upstream HashiCorp Vault code.

Critical Impact

An attacker who controls schema creation in the backing PostgreSQL database can trigger SQL injection executed with the privileges of the OpenBao management user during role revocation.

Affected Products

• OpenBao versions prior to 2.5.3
• OpenBao deployments using the PostgreSQL database secrets engine
• Environments where database users can create schemas and grant privileges on them

Discovery Timeline

• 2026-04-21 - CVE-2026-39946 published to NVD
• 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-39946

Vulnerability Analysis

The vulnerability stems from improper SQL identifier quoting in the OpenBao PostgreSQL database secrets engine. When OpenBao revokes role privileges, it enumerates schemas reported by the PostgreSQL server and constructs SQL statements that reference those schema names. The schema names are interpolated into the query without proper identifier quoting. A schema name that contains SQL metacharacters or crafted syntax breaks out of the intended identifier context. The result is either a failed revocation operation or, in rarer conditions, execution of attacker-influenced SQL as the management user. Because the management user typically holds elevated privileges within the database, successful injection grants broad control over database state, including the ability to read or alter other roles managed by OpenBao.

Root Cause

The root cause is missing identifier quoting on schema names returned by PostgreSQL system catalogs. Identifier quoting in PostgreSQL requires wrapping names in double quotes and escaping embedded double quotes. OpenBao concatenated raw schema strings into revocation SQL instead of applying this transformation. The defect was inherited from HashiCorp Vault, where the same code path existed prior to the OpenBao fork.

Attack Vector

Exploitation requires a database user with permission to create schemas and assign privileges on them within the PostgreSQL instance that OpenBao manages. The attacker creates a schema whose name embeds SQL syntax. When OpenBao later revokes a role that has privileges on that schema, the engine constructs an unsafe SQL statement and executes the attacker-influenced fragment under the management user context. The vulnerability requires high privileges in the database environment but no user interaction, and it is reachable over the network through the secrets engine workflow. Refer to the OpenBao GitHub Security Advisory for full technical context.

Detection Methods for CVE-2026-39946

Indicators of Compromise

• PostgreSQL schemas whose names contain quote characters, semicolons, or SQL keywords inconsistent with operational naming conventions
• OpenBao audit log entries showing failed role revocation operations against the PostgreSQL database secrets engine
• PostgreSQL server logs showing syntax errors or unexpected statements originating from the OpenBao management user during revocation cycles

Detection Strategies

• Inventory all PostgreSQL schemas referenced by OpenBao database secrets engine roles and validate schema names against an allowlist of expected identifiers
• Correlate OpenBao audit events for database/revoke operations with PostgreSQL pg_stat_statements entries to identify malformed revocation SQL
• Review PostgreSQL role grants to confirm that only trusted accounts hold CREATE privilege on databases managed by OpenBao

Monitoring Recommendations

• Forward OpenBao audit logs and PostgreSQL server logs into a centralized analytics platform and alert on revocation failures or SQL syntax errors tied to the management user
• Monitor for new schema creation events in databases bound to OpenBao secrets engines and require change-control review
• Track the deployed OpenBao version across the environment and alert when instances run below 2.5.3

How to Mitigate CVE-2026-39946

Immediate Actions Required

• Upgrade OpenBao to version 2.5.3 or later on all nodes running the PostgreSQL database secrets engine
• Audit existing PostgreSQL schemas managed by OpenBao and rename or remove any schema whose name contains SQL metacharacters
• Revoke CREATE privileges from database users that do not require schema creation capability

Patch Information

OpenBao addressed CVE-2026-39946 in version 2.5.3. The fix applies proper identifier quoting to schema names used in revocation statements within the PostgreSQL database secrets engine. Patch details and the official advisory are available at the OpenBao GitHub Security Advisory GHSA-6vgr-cp5c-ffx3.

Workarounds

• Audit table schemas in PostgreSQL databases managed by OpenBao and verify all schema names conform to safe identifier patterns
• Restrict database users so they cannot create new schemas or grant privileges on them, eliminating the attacker-controlled input path
• Limit the scope of the OpenBao management database account to the minimum privileges required for secrets engine operations

# Configuration example
# Revoke schema creation from non-administrative database users
REVOKE CREATE ON DATABASE app_db FROM app_user;

# Verify which roles retain CREATE privileges
SELECT r.rolname, d.datname, has_database_privilege(r.rolname, d.datname, 'CREATE') AS can_create
FROM pg_roles r, pg_database d
WHERE d.datname = 'app_db' AND r.rolcanlogin = true;