GHSA-c36x-h252-g9x2
OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808
Details
### Summary
OpenBao users with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations.
### Impact
OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant.
### Patch
This will be fixed in OpenBao v2.5.5.
### References
This vulnerability is similar to but distinct from:
- CVE-2026-45808 / GHSA-v8v8-cm84-m686 - CVE-2026-40264 / GHSA-p49j-v9wc-wg57
Are you affected?
Enter the version of the package you're using.
Affected packages
0.1.0 No fixed version published yet for github.com/openbao/openbao (go modules). Pin to a known-safe version or switch to an alternative.
0 Fixed in: 0.0.0-20260617103932-b20b999dd404 go get github.com/openbao/openbao@v0.0.0-20260617103932-b20b999dd404 References
- https://github.com/openbao/openbao/security/advisories/GHSA-c36x-h252-g9x2 [WEB]
- https://github.com/openbao/openbao/pull/3307 [WEB]
- https://github.com/openbao/openbao/commit/b20b999dd4044d7b419a5472d8fe08407828be37 [WEB]
- https://github.com/openbao/openbao [PACKAGE]
- https://github.com/openbao/openbao/releases/tag/v2.5.5 [WEB]