CVE-2026-46358
OpenBao's Inline Auth Incorrectly Redacted Headers
Published: 5/28/2026Modified: 5/28/2026
Description
### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate. ### Patches This is fixed in OpenBao v2.5.4. ### Resources https://github.com/openbao/openbao/issues/3074
Affected packages (1)
- Go/github.com/openbao/openbaofrom 0, < 2.5.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (6)
- PATCHhttps://github.com/openbao/openbao
- WEBhttps://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df
- WEBhttps://github.com/openbao/openbao/issues/3074
- WEBhttps://github.com/openbao/openbao/pull/3076
- WEBhttps://github.com/openbao/openbao/releases/tag/v2.5.4
- WEBhttps://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24