CVE-2026-39946
MEDIUM4.9EPSS 0.03%OpenBao's SQL Injection in PostgreSQL database secrets engine
發布日:2026/4/21修改日:2026/5/5
描述
### Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was originally from HashiCorp Vault. ### Patches This was addressed in v2.5.3. ### Workarounds Audit table schemas and ensure database users cannot create new schemas and grant privileges on them.
受影響套件(1)
- Go/github.com/openbao/openbaofrom 0, < 0.0.0-20260420155735-b596b0882620
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-39946
- PATCHhttps://github.com/openbao/openbao
- WEBhttps://github.com/openbao/openbao/commit/80693a46ebb4fc2455f1c51ed1dd853b28c2fd77
- WEBhttps://github.com/openbao/openbao/pull/2931
- WEBhttps://github.com/openbao/openbao/releases/tag/v2.5.3
- WEBhttps://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3