CVE-2026-45808: OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL
OpenBao’s namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints.
References
- github.com/advisories/GHSA-v8v8-cm84-m686
- github.com/openbao/openbao/commit/c0495646b41cea0e3f5a1030132e9cf5c2375b5c
- github.com/openbao/openbao/pull/3152
- github.com/openbao/openbao/releases/tag/v2.5.4
- github.com/openbao/openbao/security/advisories/GHSA-v8v8-cm84-m686
- nvd.nist.gov/vuln/detail/CVE-2026-45808
Code Behaviors & Features
Detect and mitigate CVE-2026-45808 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →