Alpine: multiple openbao packages: security update to 2.5.4-r0

critical Tenable Cloud Security Plugin ID 442269

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does
not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to
`direct`. This allows an attacker to start an authentication request and perform "remote phishing" by
having the victim visit the URL and automatically log-in to the session of the attacker. Despite being
based on the authorization code flow, the `direct` mode calls back directly to the API and allows an
attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional
confirmation screen for `direct` type logins that requires manual user interaction in order to finish the
authentication. This issue can be worked around either by removing any roles with `callback_mode=direct`
or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
(CVE-2026-33757)

- An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete
secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did
not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault
Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. (CVE-2026-3605)

- Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly
initiate or cancel root token generation or rekey operations, occupying the single in-progress operation
slot. This prevents legitimate operators from completing these workflows. This vulnerability,
CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0. (CVE-2026-5807)

- OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao
installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct`
configured are vulnerable to XSS via the `error_description` parameter on the page for a failed
authentication. This allows an attacker access to the token used in the Web UI by a victim. The
`error_description` parameter has been replaced with a static error message in v2.5.2. The vulnerability
can be mitigated by removing any roles with `callback_mode` set to `direct`. (CVE-2026-33758)

Solution

Update the openbao library and its related packages to version 2.5.4-r0 or later.

Plugin Details

Severity: Critical

ID: 442269

Version: Revision 1.2

Type: Local

Family: Alpine Linux Local Security Checks

Published: 5/22/2026

Updated: 6/1/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.7

Temporal Score: 7.6

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

CVSS Score Source: CVE-2026-33757

CVSS v3

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 8.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2026-33758

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/25/2026

Reference Information

CVE: CVE-2026-33757, CVE-2026-33758, CVE-2026-3605, CVE-2026-39388, CVE-2026-39396, CVE-2026-39946, CVE-2026-40264, CVE-2026-45808, CVE-2026-46358, CVE-2026-46405, CVE-2026-5807

Detections

Analytics

Alpine: multiple openbao packages: security update to 2.5.4-r0

critical Tenable Cloud Security Plugin ID 442269

Description

Solution

See Also

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

CVSS v4

Vulnerability Information

Reference Information