NIXPKGS-2026-1220

GitHub issue published on

Permalink CVE-2026-39946

updated 4 hours ago by @LeSuisse Activity log

Created automatic suggestion 16 hours ago
@LeSuisse accepted 5 hours ago
@LeSuisse published on GitHub 4 hours ago

OpenBao allows SQL Injection in PostgreSQL database secrets engine

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them.

References

https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3 x_refsource_CONFIRM

Affected products

openbao

==< 2.5.3

Matching in nixpkgs

pkgs.openbao

Open source, community-driven fork of Vault managed by the Linux Foundation

nixos-unstable 2.5.2
- nixpkgs-unstable 2.5.2
- nixos-unstable-small 2.5.2
nixos-25.11 2.5.2
- nixos-25.11-small 2.5.2
- nixpkgs-25.11-darwin 2.5.2

Package maintainers

@emilylange Emily Lange <nix@emilylange.de>
@brianmay Brian May <brian@linuxpenguins.xyz>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1220

References

Affected products

Matching in nixpkgs

pkgs.openbao

Package maintainers