CVE-2026-42186: OpenBao's Namespace Deletion May Not Delete Data Properly

May 5, 2026

When OpenBao’s initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around.

References

github.com/advisories/GHSA-vv66-6rp4-wr4f
github.com/openbao/openbao/commit/6d2e0506e2b41be0eaa6643bf7b4efc9a2c09445
github.com/openbao/openbao/releases/tag/v2.5.3
github.com/openbao/openbao/security/advisories/GHSA-vv66-6rp4-wr4f
nvd.nist.gov/vuln/detail/CVE-2026-42186

Code Behaviors & Features

Detect and mitigate CVE-2026-42186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →