OpenBao, Cross-namespace Lease Revocation, CVE-2026-45808 (High) -DC-May2026-19

Listen to this Post

OpenBao’s cross-namespace lease revocation vulnerability (CVE-2026-45808) arises from missing namespace checks in legacy API endpoints. OpenBao namespaces are designed to enforce strict multi‑tenant isolation: leases, tokens, and credentials created in one namespace should be unreachable from any other namespace. However, the legacy endpoints `sys/revoke` and `sys/renew` (along with `sys/revoke-prefix` and sys/revoke-force) were never integrated into the namespace model. When a lease identifier is leaked (or intentionally shared) by a tenant, a user in a different namespace can directly call these legacy endpoints with that lease ID, bypassing all ACL and namespace boundary checks. The server processes the request as if it originated in the lease’s owning namespace, granting the cross‑namespace actor the ability to revoke or renew the lease. This breaks the fundamental security promise of OpenBao’s namespaces. The issue is not a simple configuration oversight – the legacy endpoints predate the namespace feature and were never updated to enforce isolation. As a result, any tenant who leaks a lease identifier (or can guess a valid lease ID) can have their credentials revoked or renewed by an attacker in any other namespace, effectively dismantling tenant separation. The only complete mitigation is upgrading to OpenBao v2.5.4, which entirely removes the affected legacy endpoints; no configuration workaround can restore proper isolation because the flaw is in the endpoint’s core logic.

DailyCVE Form:

Platform: OpenBao
Version: ≤2.5.3
Vulnerability: ACL bypass
Severity: High
Date: 2026‑05‑28

Prediction: Patched v2.5.4

What Undercode Say:

Check for active leases across namespaces

bao list sys/leases/lookup

Attempt a cross‑namespace revoke using leaked lease ID

curl –header “X-Vault-Token: ” \

–request POST \

/v1/sys/revoke/

Verify absence of namespace validation (pre‑2.5.4)

grep -r “sys/revoke” $(find . -name “.go”) | grep -v “sys/leases/revoke”

Exploit:

An attacker with a token in namespace “NS‑A” obtains a lease identifier belonging to namespace “NS‑B” (e.g., by monitoring logs or exploiting a separate info leak). The attacker then sends a POST request to <openbao_url>/v1/sys/revoke/<lease_id>. Because the legacy `sys/revoke` handler does not check the request’s namespace against the lease’s originating namespace, the server revokes the lease and any associated credentials (tokens, dynamic secrets). The same attack works for `sys/renew` to extend the lease lifetime. No special privileges are required beyond a valid token in any namespace and the leaked lease ID.

Protection:

  1. Upgrade immediately to OpenBao v2.5.4 or later; this release removes the vulnerable legacy endpoints (sys/revoke, sys/renew, sys/revoke-prefix, sys/revoke-force) entirely.
  2. If an immediate upgrade is impossible, block network access to the legacy endpoints using a reverse proxy or WAF rule that rejects any request to `/v1/sys/revoke` and /v1/sys/renew.
  3. Audit logs for unexpected revocations or renewals: search for `auth.namespace != request.namespace` in log entries (for versions that still log such mismatches).
  4. Rotate all credentials and tokens that may have been exposed before the upgrade.

Impact:

Successful exploitation allows a user in any namespace to revoke or renew leases from any other namespace, completely bypassing OpenBao’s multi‑tenant ACL model. An attacker can:
– Deny service by revoking leases critical to other tenants.
– Extend access by renewing expired leases, prolonging unauthorised credentials.
– Break auditability because operations appear as legitimate lease modifications, leaving no cross‑namespace alert.
– Remove secrets tied to the leases, leading to data loss or application failure for the victim tenant.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top