OpenBao JWT/OIDC Login Confirmation Bypass Vulnerability in Direct Callback Mode

A vulnerability exists in OpenBao versions prior to 2.5.2, where the application fails to require user confirmation during JWT/OpenID Connect logins via roles with 'callback_mode' set to 'direct'. This oversight enables attackers to initiate authentication requests that, when followed by victims, automatically log them into the attacker's session. Although this process is based on the authorization code flow, the 'direct' mode bypasses standard verification, allowing attackers to continuously poll for OpenBao tokens until they are granted. The issue has been addressed in version 2.5.2, which introduces a mandatory confirmation step for 'direct' logins.

Impact

Exploitation of this vulnerability allows for 'remote phishing' attacks, where an attacker can hijack a victim's session by exploiting the lack of confirmation in direct callback mode logins.

Reproduction

To reproduce this vulnerability, log into OpenBao using a role with 'callback_mode' set to 'direct' prior to version 2.5.2. The absence of a confirmation prompt can be observed, allowing for the initiation of an authentication request that, when followed by a victim, automatically logs them into the attacker's session.

Remediation

Users can upgrade to OpenBao version 2.5.2, which includes the necessary confirmation step for 'direct' OIDC logins. Alternatively, roles with 'callback_mode=direct' can be removed or the confirmation requirement can be enforced on the token issuer side for the Client ID used by OpenBao.