Home / Vulnerability Intelligence / CVE-2026-33757

CVE-2026-33757 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 30, 2026

OpenBao - Authentication Bypass

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

OpenBao < 2.5.2 contains an authentication bypass caused by lack of user confirmation in JWT/OIDC login with callback_mode set to direct, letting attackers perform remote phishing and token polling, exploit requires victim to visit crafted URL.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 6.0%(Probability of exploitation in next 30 days)

Impact

Attackers can perform remote phishing to log victims into attacker sessions and poll for tokens, leading to unauthorized access.

Mitigation

Update to version 2.5.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🔴 CVE-2026-33757 - Critical (9.6) OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to star... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33757/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33757
Severity: Critical
CVSS Score: 9.6
Type: broken_authentication
Status: unconfirmed
EPSS: 6.0%
Social Posts: 1

CWE

CWE-384

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

EPSS Score

6.0%Probability of exploitation in the next 30 days