CVE-2026-39946: OpenBao's SQL Injection in PostgreSQL database secrets engine
(updated )
When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user.
This vulnerability was originally from HashiCorp Vault.
References
- github.com/advisories/GHSA-6vgr-cp5c-ffx3
- github.com/openbao/openbao/commit/80693a46ebb4fc2455f1c51ed1dd853b28c2fd77
- github.com/openbao/openbao/pull/2931
- github.com/openbao/openbao/releases/tag/v2.5.3
- github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3
- nvd.nist.gov/vuln/detail/CVE-2026-39946
Code Behaviors & Features
Detect and mitigate CVE-2026-39946 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →