CVE-2026-33757: OpenBao lacks user confirmation for OIDC direct callback mode

March 26, 2026 (updated March 27, 2026)

OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct.

This allows an attacker to start an authentication request and perform “remote phishing” by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued.

References

datatracker.ietf.org/doc/html/rfc8628
github.com/advisories/GHSA-7q7g-x6vg-xpc3
github.com/openbao/openbao
github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964
github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3
nvd.nist.gov/vuln/detail/CVE-2026-33757

Code Behaviors & Features

Detect and mitigate CVE-2026-33757 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →