CVE-2026-46405: OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
In OpenBao’s Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of sys/raw. At most this could cause storage usage.
References
- github.com/advisories/GHSA-7j6w-vvw2-5f9c
- github.com/openbao/openbao/commit/0d82e0a5a3b6a93e8087bcbaf0b11326c12d4f4d
- github.com/openbao/openbao/pull/3150
- github.com/openbao/openbao/releases/tag/v2.5.4
- github.com/openbao/openbao/security/advisories/GHSA-7j6w-vvw2-5f9c
- nvd.nist.gov/vuln/detail/CVE-2026-46405
Code Behaviors & Features
Detect and mitigate CVE-2026-46405 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →