### Summary OpenBao users with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases in any other…
CWE-863·Published 2026-06-19
### Summary OpenBao users with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. ### Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant. ### Patch This will be fixed in OpenBao v2.5.5. ### References This vulnerability is similar to but distinct from: - CVE-2026-45808 / GHSA-v8v8-cm84-m686 - CVE-2026-40264 / GHSA-p49j-v9wc-wg57
### Summary OpenBao users with access to the `sys/leases/revoke/:lease_id` endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. ### Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked by a user in another tenant. ### Patch This will be fixed in OpenBao v2.5.5. ### References This vulnerability is similar to but distinct from: - CVE-2026-45808 / GHSA-v8v8-cm84-m686 - CVE-2026-40264 / GHSA-p49j-v9wc-wg57
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 4.0 | Secondary | GHSA | 2.1 | — | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |