OpenBao, Certificate Authentication Bypass, CVE-2026-39388 (Low)

Listen to this Post

OpenBao’s certificate authentication method contains a flaw when `disable_binding=true` is configured. During a token renewal request, the method attempts to verify that the current mTLS certificate matches the one originally used to create the token. Due to incorrect matching logic, an attacker who possesses any valid certificate signed by the same Certificate Authority (CA) can present it during renewal. The system does not properly compare the certificate against the original role or the originally supplied certificate, allowing the attacker’s sibling certificate to be accepted. Token renewals for other authentication methods do not require any login information, but this bug specifically affects the certificate backend. The attack requires knowledge of either the original token or its accessor. Once the renewal succeeds, the attacker can extend the lifetime of dynamic leases held by the original token, gaining prolonged access to secrets and privileges. The issue originally existed in HashiCorp Vault and was inherited by OpenBao. The patch is included in OpenBao v2.5.3, which introduces stricter certificate binding checks during token renewal. Administrators can also work around the issue by tightly scoping privileged roles to a single certificate.

DailyCVE Form

Platform: OpenBao
Version: < 2.5.3
Vulnerability: Certificate auth bypass
Severity: Low
Date: 2026-04-21

Prediction: 2026-04-21

Analytics under What Undercode Say:

Check current OpenBao version
openbao version
List certificate authentication roles
openbao list auth/cert/certs
Test token renewal with sibling certificate
curl -k --cert sibling.crt --key sibling.key \
-X POST https://openbao:8200/v1/auth/token/renew \
-H "X-Vault-Token: $TARGET_TOKEN"

Exploit:

An attacker with a sibling certificate signed by the same CA and knowledge of the original token’s ID or accessor sends a token renewal request. The system incorrectly validates the sibling certificate, granting renewal and extending the token’s lifetime.

Protection from this CVE

  • Upgrade to OpenBao v2.5.3 or later.
  • If upgrade is not possible, set `disable_binding=false` (default) or tightly scope privileged roles to a single certificate.
  • Monitor audit logs for unexpected token renewals from certificates that do not match the original role.

Impact

An attacker can prolong access to secrets and dynamic leases without possessing the original certificate, effectively bypassing certificate‑based authentication controls. This can lead to persistent unauthorized access within the OpenBao environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top