Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40264

created 1 month ago Activity log

Created suggestion 1 month ago

OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3.

References

https://github.com/openbao/openbao/security/advisories/GHSA-p49j-v9wc-wg57 x_refsource_CONFIRM

Affected products

openbao

==< 2.5.3

Matching in nixpkgs

pkgs.openbao

Open source, community-driven fork of Vault managed by the Linux Foundation

nixos-unstable 2.5.2
- nixpkgs-unstable 2.5.2
- nixos-unstable-small 2.5.2
nixos-25.11 2.5.2
- nixos-25.11-small 2.5.2
- nixpkgs-25.11-darwin 2.5.2

Package maintainers

@emilylange Emily Lange <nix@emilylange.de>
@brianmay Brian May <brian@linuxpenguins.xyz>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openbao

Package maintainers