Primary

Context

OpenBao Certificate Authentication Token Renewal Vulnerability

Vulnerability

A vulnerability exists in OpenBao's Certificate authentication method prior to version 2.5.3. When token renewal is requested with 'disable_binding=true', the system incorrectly verifies the presented mTLS certificate, allowing an attacker to renew tokens using a sibling certificate and key signed by the same CA, without matching the original certificate or role. This could enable the attacker to extend the lifetime of dynamic leases associated with the original token, requiring knowledge of the original token or its accessor.

Impact

Exploitation allows for unauthorized token renewal, extending the lifetime of dynamic leases associated with the original token, which could be used to authenticate within a similar scope.

Remediation

Users are advised to update to OpenBao version 2.5.3 and ensure that privileged roles are tightly scoped to single certificates.

Added: Apr 21, 2026, 1:21 AM

Updated: Apr 21, 2026, 1:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.7

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.7

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenBao Certificate Authentication Token Renewal Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating