1978 matches found
CVE-2026-40264
A flaw was found in OpenBao. OpenBao's multi-tenant separation feature allows a privileged administrator in one tenant to revoke or renew a token belonging to another tenant if that token's accessors are leaked. This unauthorized token management could lead to a denial of service for the affected...
SUSE CVE-2026-39946
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...
Broken hard revocation handling
Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...
CVE-2026-39946
A flaw was found in OpenBao. When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, it failed to use proper database quoting on schema names. This oversight could lead to role revocation failures or, in rarer instances, allow a management user to perform SQL injectio...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection due to improper quoting of schema names in the PostgreSQL database secrets engine during the role revocation process. An attacker can execute arbitrary SQL commands as the management user by supplying crafted schema names...
Improper Restriction of Security Token Assignment
Overview Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the token store process. An attacker can cause unauthorized renewal or revocation of tokens across namespaces by obtaining token accessors and leveraging privileged administrator...
CVE-2026-39946
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...
CVE-2026-40264 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...
CVE-2026-40264
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...
CVE-2026-40264
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, a tenant that leaks token accessors could have their token revoked or renewed by a privileged administrator in another tenant. This cross-namespace exposure is mitigated in version 2.5.3. The CVE entry not...
CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...
CVE-2026-39946
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...
CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...
CVE-2026-39946
OpenBao (open source identity-based secrets manager) before version 2.5.3 is affected. When revoking privileges on a role within the PostgreSQL database secrets engine, OpenBao could fail to properly quote schema names provided by PostgreSQL, potentially leading to role revocation failures and, m...
OpenBao SQL注入漏洞
OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 had a SQL injection vulnerability. This vulnerability occurred when revoking role permissions in the PostgreSQL database key engine, where the correct database reference was not...
OpenBao 安全漏洞
OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 contained security vulnerabilities. These vulnerabilities were caused by a problem with tenant isolation in namespaces, which could lead to tokens being revoked from tenants whose...
Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.3.1.7)
The version of AOS installed on the remote host is prior to 7.3.1.7. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.3.1.7 advisory. - LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raste...
Incorrect Ownership Assignment
Overview Affected versions of this package are vulnerable to Incorrect Ownership Assignment through improper validation of the defaultGroup ID after group access revocation. An attacker can gain unauthorized access to group collections and perform full CRUD operations by omitting the X-Tenant...
CVE-2026-40196 HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...
CVE-2026-40196 HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...