CVE-2026-46358
OpenBao's Inline Auth Incorrectly Redacted Headers
發布日:2026/5/28修改日:2026/5/28
描述
### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate. ### Patches This is fixed in OpenBao v2.5.4. ### Resources https://github.com/openbao/openbao/issues/3074
受影響套件(1)
- Go/github.com/openbao/openbaofrom 0, < 2.5.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
參考連結(6)
- PATCHhttps://github.com/openbao/openbao
- WEBhttps://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df
- WEBhttps://github.com/openbao/openbao/issues/3074
- WEBhttps://github.com/openbao/openbao/pull/3076
- WEBhttps://github.com/openbao/openbao/releases/tag/v2.5.4
- WEBhttps://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24