Home / Vulnerability Intelligence / CVE-2026-33757

CVE-2026-33757 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 27, 2026

OpenBao - Authentication Bypass

Published: March 27, 2026Updated: March 27, 2026Remote Exploitable

Overview

OpenBao < 2.5.2 contains an authentication bypass caused by lack of user confirmation in JWT/OIDC login with callback_mode set to direct, letting attackers perform remote phishing and token polling, exploit requires victim to visit crafted URL.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Attackers can perform remote phishing to log victims into attacker sessions and poll for tokens, leading to unauthorized access.

Mitigation

Update to version 2.5.2 or later.

References

https://datatracker.ietf.org/doc/html/rfc8628#section-5.4
https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964
https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33757
Severity: Critical
CVSS Score: 9.6
Type: broken_authentication
Status: new

CWE

CWE-384

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L