Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

54 matches found

Github Security Blog
Github Security Blogadded 2026/04/21 5:26 p.m.5 views

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

Background OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Token renewals for other authentication methods do not require any supplied login...

3.1CVSS5.6AI score0.00021EPSS
Exploits0References6Affected Software1
OSV
OSVadded 2026/04/21 5:26 p.m.4 views

GHSA-7CCV-RP6M-RFFR OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

Background OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Token renewals for other authentication methods do not require any supplied login...

3.1CVSS5.6AI score0.00021EPSS
Exploits0References6
EUVD
EUVDadded 2026/04/21 5:26 p.m.0 views

EUVD-2026-24029

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate...

2CVSS5.7AI score0.00021EPSS
Exploits0References5
RedhatCVE
RedhatCVEadded 2026/04/21 12:50 p.m.1 views

CVE-2026-40264

A flaw was found in OpenBao. OpenBao's multi-tenant separation feature allows a privileged administrator in one tenant to revoke or renew a token belonging to another tenant if that token's accessors are leaked. This unauthorized token management could lead to a denial of service for the affected...

2.7CVSS5.7AI score0.0005EPSS
Exploits0References2
RedhatCVE
RedhatCVEadded 2026/04/21 12:47 p.m.3 views

CVE-2026-39388

A flaw was found in OpenBao, an open source identity-based secrets management system. When renewing tokens using the Certificate authentication method with disablebinding=true, the system incorrectly verifies the presented mTLS mutual Transport Layer Security certificate. This vulnerability allow...

3.1CVSS5.7AI score0.00021EPSS
Exploits0References2
SUSE CVE
SUSE CVEadded 2026/04/21 12:16 p.m.2 views

SUSE CVE-2026-39388

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Toke...

2CVSS5.7AI score0.00021EPSS
Exploits0References3
Snyk
Snykadded 2026/04/21 2:8 a.m.1 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the certificate authentication process when disablebinding=true is set. An attacker can extend the lifetime of dynamic leases held by the original token by renewing tokens using a sibling certificate a...

3.1CVSS5.5AI score0.00021EPSS
Exploits0References2
NVD
NVDadded 2026/04/21 1:16 a.m.1 views

CVE-2026-39388

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Toke...

3.1CVSS0.00021EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/04/21 12:47 a.m.2 views

CVE-2026-40264 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...

2CVSS5.8AI score0.0005EPSS
Exploits0References1
AlpineLinux
AlpineLinuxadded 2026/04/21 12:47 a.m.4 views

CVE-2026-40264

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...

2.7CVSS5.4AI score0.0005EPSS
Exploits0
CVE
CVEadded 2026/04/21 12:43 a.m.9 views

CVE-2026-39388

OpenBao (open source identity-based secrets management) prior to version 2.5.3 contains a flaw in the Certificate authentication method: when a token renewal is requested with disable_binding=true, the system attempts to verify that the presented mTLS certificate matches the original. Due to inco...

3.1CVSS5.7AI score0.00021EPSS
Exploits0References1Affected Software1
Cvelist
Cvelistadded 2026/04/21 12:43 a.m.27 views

CVE-2026-39388 OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Toke...

2CVSS0.00021EPSS
Exploits0References1
AlpineLinux
AlpineLinuxadded 2026/04/21 12:43 a.m.1 views

CVE-2026-39388

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Toke...

3.1CVSS5.5AI score0.00021EPSS
Exploits0
Vulnrichment
Vulnrichmentadded 2026/04/21 12:43 a.m.1 views

CVE-2026-39388 OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Toke...

2CVSS5.7AI score0.00021EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/04/21 12:43 a.m.0 views

CVE-2026-39388

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Toke...

2CVSS5.7AI score0.00021EPSS
Exploits0References2Affected Software1
CNNVD
CNNVDadded 2026/04/21 12:0 a.m.7 views

OpenBao 信任管理问题漏洞

OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 had vulnerabilities related to trust management. These vulnerabilities stemmed from incorrect matching during certificate authentication when renewing tokens. This allowed attacke...

3.1CVSS5.8AI score0.00021EPSS
Exploits0References2
CNNVD
CNNVDadded 2026/04/21 12:0 a.m.4 views

OpenBao 安全漏洞

OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 contained security vulnerabilities. These vulnerabilities were caused by a problem with tenant isolation in namespaces, which could lead to tokens being revoked from tenants whose...

2.7CVSS5.8AI score0.0005EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/04/21 12:0 a.m.1 views

PT-2026-33881

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3 Description The Certificate authentication method contains a flaw during token renewal when disable binding=true is configured. The system incorrectly verifies if the mTLS certificate presented during a renewal...

3.1CVSS5.2AI score0.00021EPSS
Exploits0References19
RedhatCVE
RedhatCVEadded 2026/03/26 3:6 p.m.2 views

CVE-2026-4349

A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the...

6.3CVSS5.7AI score0.00024EPSS
Exploits0References1
EUVD
EUVDadded 2026/03/18 12:30 a.m.2 views

EUVD-2026-12659

A vulnerability was determined in Duende IdentityServer 4. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the attack...

6.3CVSS5.4AI score0.00024EPSS
Exploits0References4
Rows per page
Query Builder