CVE-2026-39946
MEDIUM4.9EPSS 0.03%OpenBao's SQL Injection in PostgreSQL database secrets engine
Published: 4/21/2026Modified: 5/5/2026
Description
### Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was originally from HashiCorp Vault. ### Patches This was addressed in v2.5.3. ### Workarounds Audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
Affected packages (1)
- Go/github.com/openbao/openbaofrom 0, < 0.0.0-20260420155735-b596b0882620
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-39946
- PATCHhttps://github.com/openbao/openbao
- WEBhttps://github.com/openbao/openbao/commit/80693a46ebb4fc2455f1c51ed1dd853b28c2fd77
- WEBhttps://github.com/openbao/openbao/pull/2931
- WEBhttps://github.com/openbao/openbao/releases/tag/v2.5.3
- WEBhttps://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3