[SECURITY] Fedora 44 Update: openbao-2.5.4-1.fc44

Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, us ers can access an encrypted Key/Value store and network...

ROS-20260529-73-0014

The vulnerability in openbao is related to the lack of mechanisms for encoding or shielding output data. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

Fedora 44 : openbao (2026-bf7889aec6)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-bf7889aec6 advisory. Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808 Tenable has extracted the preceding description blo...

Fedora 43 : openbao (2026-d4e8f0a731)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-d4e8f0a731 advisory. Update to upstream-2.5.4, including fixes for CVE-2026-46358, CVE-2026-46405, and CVE-2026-45808 Tenable has extracted the preceding description blo...

ROS-20260529-73-0015

The vulnerability in openbao is related to improper session management. Exploiting this vulnerability can allow a remote attacker to intercept a user’s session...

OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...

GHSA-7J6W-VVW2-5F9C OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...

OpenBao's Inline Auth Incorrectly Redacted Headers

Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source...

GHSA-Q8CJ-789H-VG24 OpenBao's Inline Auth Incorrectly Redacted Headers

Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source...

OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints. Patch This will be address...

GHSA-V8V8-CM84-M686 OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints. Patch This will be address...

ROS-20260527-73-0006

Vulnerability in openbao related to uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

ROS-20260527-73-0003

Vulnerability in openbao related to errors in certificate authentication procedure. The vulnerability can be exploited remotely...

ROS-20260527-73-0005

Vulnerability in openbao related to security token assignment restriction errors. Exploitation of the vulnerability could allow an attacker to escalate their privileges...

ROS-20260527-73-0004

Vulnerability in openbao due to failure to take measures to protect sql query structure. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

PT-2026-42807

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.4 Description Namespaces in OpenBao are designed to provide multi-tenant separation. However, a tenant that leaks lease identifiers may allow a user from another tenant to revoke or renew their lease and underlyin...

OPENSUSE-SU-2026:10835-1 openbao-2.5.4-1.1 on GA media

These are all security issues fixed in the openbao-2.5.4-1.1 package on the GA media of openSUSE Tumbleweed...

PT-2026-42809

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.4 Description In the Kerberos authentication method, the GET handler or the use of an Authorization: Negotiate header causes the response to include a logical.Auth object alongside an error message. This leads to...

PT-2026-42808

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.4 Description The inline auth functionality incorrectly redacts audit log entries. This causes non-auth headers to be removed while auth-related headers are retained in cleartext. Exploitation requires an attacker...

CLEANSTART-2026-OU18540 Security fixes for CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-54410, CVE-2025-58181, CVE-2025-58190, CVE-2025-61727, CVE-2025-61729, CVE-2025-68121, CVE-2026-1229, CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-32952, CVE-2026-33186, CVE-2026-34986, CVE-2026-39883, ghsa-78h2-9frx-2jm8, ghsa-hfvc-g4fc-pqhx, ghsa-pjcq-xvwq-hhpj applied in versions: 2.2.2-r6, 2.2.2-r7, 2.2.2-r8, 2.3.2-r4, 2.4.4-r2, 2.5.0-r0, 2.5.0-r1

Multiple security vulnerabilities affect the openbao-fips package. These issues are resolved in later releases. See references for individual vulnerability details...