CVE-2026-33758: OpenBao has Reflected XSS in its OIDC authentication error message
(updated )
OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callback_mode=direct configured are vulnerable to XSS via the error_description parameter on the page for a failed authentication.
This allows an attacker access to the token used in the Web UI by a victim.
References
- github.com/advisories/GHSA-cpj3-3r2f-xj59
- github.com/openbao/openbao
- github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662
- github.com/openbao/openbao/pull/2709
- github.com/openbao/openbao/releases/tag/v2.5.2
- github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59
- nvd.nist.gov/vuln/detail/CVE-2026-33758
Code Behaviors & Features
Detect and mitigate CVE-2026-33758 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →