Cyber Posture

CVE-2026-33757

Critical

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.0003 10.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33757 is a critical-severity Session Fixation (CWE-384) vulnerability in Openbao Openbao. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates CVE-2026-33757 by applying the patch in OpenBao version 2.5.2 that adds a confirmation screen for direct mode logins.

CM-6 Configuration Settings good match
prevent

Secure configuration settings prevent the vulnerability by removing or disabling roles with callback_mode=direct as a documented workaround.

IA-13 Identity Providers and Authorization Servers partial match
prevent

Managing identity providers and authorization servers enables enforcement of user confirmation on the token issuer side for the OpenBao Client ID, aligning with the recommended workaround.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
attack.mitre.org →
Why these techniques?

The CVE enables a phishing attack via crafted authentication URLs (T1566.002) that exploits session fixation in direct callback_mode OIDC/JWT flows, allowing an attacker to obtain valid application access tokens tied to the victim's identity (T1528) without further interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an…

more

authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.

Deeper analysisAI

CVE-2026-33757 affects OpenBao, an open-source identity-based secrets management system, in versions prior to 2.5.2. The vulnerability arises during JWT/OIDC authentication when a role is configured with `callback_mode` set to `direct`. In this mode, OpenBao fails to prompt users for confirmation before completing the login process. Although based on the authorization code flow, the `direct` mode bypasses typical redirects by calling back directly to the OpenBao API, enabling polling for authentication tokens. This issue is classified under CWE-384 (Session Fixation) with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L).

An attacker can exploit this vulnerability remotely without privileges by initiating an authentication request tied to a `direct` mode role. The attacker then tricks a victim into visiting a crafted URL, which automatically authenticates the victim into the attacker's session upon page load—a form of remote phishing. By polling the OpenBao API, the attacker obtains a valid token associated with the victim's credentials, granting high confidentiality and integrity impact, such as access to managed secrets.

The official patch in OpenBao version 2.5.2 introduces a confirmation screen for `direct` type logins, requiring manual user interaction to complete authentication. Workarounds include removing roles with `callback_mode=direct` or configuring the token issuer to enforce confirmation for every session using the OpenBao Client ID. Details are available in the GitHub security advisory (GHSA-7q7g-x6vg-xpc3) and the fixing commit (e32103951925723e9787e33886ab6b6ec20f4964), with additional context in RFC 8628 section 5.4 on OAuth 2.0 incremental authorization.

Details

CWE(s)
CWE-384

Affected Products

openbao
openbao
≤ 2.5.2

CVEs Like This One

CVE-2025-54997Same product: Openbao Openbao
CVE-2026-33492Shared CWE-384
CVE-2026-23796Shared CWE-384
CVE-2023-53741Shared CWE-384
CVE-2025-63529Shared CWE-384
CVE-2026-40010Shared CWE-384
CVE-2025-29928Shared CWE-384
CVE-2026-24352Shared CWE-384
CVE-2025-52689Shared CWE-384
CVE-2025-69602Shared CWE-384

References