NIXPKGS-2026-0851

GitHub issue published on

Permalink CVE-2026-33757

9.6 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

updated 1 month, 3 weeks ago by @mweinelt Activity log

Created suggestion 1 month, 4 weeks ago
@LeSuisse deleted
2 maintainers
- @emilylange
- @brianmay
1 month, 3 weeks ago maintainer.delete
@mweinelt added
2 maintainers
- @emilylange
- @brianmay
1 month, 3 weeks ago maintainer.add
@mweinelt accepted 1 month, 3 weeks ago
@mweinelt published on GitHub 1 month, 3 weeks ago

OpenBao lacks user confirmation for OIDC direct callback mode

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

References

https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3 x_refsource_CONFIRM
https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964 x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc8628#section-5.4 x_refsource_MISC

Affected products

openbao

==< 2.5.2

Matching in nixpkgs

pkgs.openbao

Open source, community-driven fork of Vault managed by the Linux Foundation

nixos-unstable 2.5.1
- nixpkgs-unstable 2.5.1
- nixos-unstable-small 2.5.2
nixos-25.11 2.4.4
- nixos-25.11-small 2.5.2
- nixpkgs-25.11-darwin 2.4.4

Package maintainers

@brianmay Brian May <brian@linuxpenguins.xyz>
@emilylange Emily Lange <nix@emilylange.de>

https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0851

References

Affected products

Matching in nixpkgs

pkgs.openbao

Package maintainers