Listen to this Post
This vulnerability occurs when OpenBao’s PostgreSQL secrets engine revokes a database role. The engine fails to apply proper SQL quoting to schema names, allowing specially crafted schema names to break out of the intended SQL command. A malicious actor with the ability to create a database schema can embed single quotes or other SQL syntax within the schema name. When the revocation logic executes a command like REVOKE ALL ON SCHEMA ..., the unsanitized input is concatenated directly. This can either cause the revocation to fail or, in more complex cases, inject arbitrary SQL statements that execute with the privileges of OpenBao’s database management user. The root cause is the absence of `quote_identifier` or similar escaping on schema names, which is a classic CWE-89 SQL injection. The flaw was originally present in HashiCorp Vault and carried over to OpenBao. The attack requires the attacker to have prior control over a schema name, and the impact is limited because the management user’s privileges are already high. The CVSS v4.0 base score is 4.6, reflecting the need for high privileges and an attack requirement. The issue is fixed in OpenBao version 2.5.3 by implementing proper identifier quoting.
Platform: OpenBao
Version: <2.5.3
Vulnerability: SQL injection
Severity: Moderate
Date: 2026-04-21
Prediction: Already patched
What Undercode Say:
Check if OpenBao version is vulnerable openbao --version | grep -E "^Version: [0-2].[0-4].|^Version: 2.5.[0-2]" Audit PostgreSQL for unusual schema names psql -U postgres -d openbao_db -c "SELECT nspname FROM pg_namespace WHERE nspname LIKE '%''%' OR nspname LIKE '%;%';" Example of a malicious schema name CREATE SCHEMA "'; DROP TABLE users; --";
How Exploit:
An attacker with database access creates a schema containing SQL metacharacters, e.g., "'; DELETE FROM credentials; --". When OpenBao later revokes privileges on that role, the unquoted schema name is injected, causing the management user to execute the attacker’s SQL command.
Protection from this CVE
Upgrade to OpenBao v2.5.3 or later. Audit existing schemas and remove any containing suspicious characters. Apply database user restrictions to prevent creation of arbitrary schemas.
Impact:
Successful SQL injection could allow an attacker to read, modify, or delete database contents, escalate privileges, or cause denial of service, all under the context of the management user.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
