{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.821Z", "datePublished": "2026-04-21T00:19:39.578Z", "dateUpdated": "2026-04-21T13:34:21.088Z"}, "containers": {"cna": {"title": "OpenBao allows SQL Injection in PostgreSQL database secrets engine", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T00:19:39.578Z"}, "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them."}], "source": {"advisory": "GHSA-6vgr-cp5c-ffx3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:34:12.690431Z", "id": "CVE-2026-39946", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:34:21.088Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39946", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T13:34:12.690431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:34:17.196Z"}}], "cna": {"title": "OpenBao allows SQL Injection in PostgreSQL database secrets engine", "source": {"advisory": "GHSA-6vgr-cp5c-ffx3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.5.3"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T00:19:39.578Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39946", "state": "PUBLISHED", "dateUpdated": "2026-04-21T13:34:21.088Z", "dateReserved": "2026-04-07T22:40:33.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T00:19:39.578Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them."}], "id": "CVE-2026-39946", "lastModified": "2026-04-21T16:20:24.180", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T01:16:06.790", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenBao: OpenBao: SQL injection via improper database quoting during PostgreSQL role revocation", "id": "2459953", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459953"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-89", "details": ["A flaw was found in OpenBao. When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, it failed to use proper database quoting on schema names. This oversight could lead to role revocation failures or, in rarer instances, allow a management user to perform SQL injection."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, audit table schemas within the PostgreSQL database used by OpenBao. Ensure that database users are restricted from creating new schemas and granting privileges on them. This operational control helps prevent the conditions that could lead to SQL injection during role privilege revocation. A restart or service reload of OpenBao may be required for these changes to take full effect."}, "name": "CVE-2026-39946", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}], "public_date": "2026-04-21T00:19:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39946\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39946\nhttps://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openbao", "source": "cna", "vendor": "openbao"}, "product": "openbao", "vendor": "openbao"}], "analysis": {"en": {"generated_at": "2026-04-21T15:33:38.671145+00:00", "value": {"mitigation_remediation": ["Upgrade OpenBao to version 2.5.3 or later to eliminate the quoting flaw.", "If an upgrade cannot be performed immediately, audit existing PostgreSQL schema names for special characters and restrict database users from creating new schemas or granting privileges that could be leveraged by malicious input.", "Ensure that the database user or role used by OpenBao for the secrets engine is limited to the minimum necessary privileges and that any input used to form SQL statements is properly validated or escaped, following the principle of putting input validation before database interaction."], "summary": {"action": "Apply patch", "impact": "SQL injection in PostgreSQL database secrets engine"}, "threat_synthesis": {"affected_systems": "Vulnerable installations of OpenBao up to and including version 2.5.2. The issue is specific to deployments that employ the PostgreSQL database secrets engine for role management.", "description_and_impact": "OpenBao, an open source identity-based secrets management system, failed to properly quote schema names when revoking privileges in its PostgreSQL database secrets engine before version 2.5.3. This flaw allows crafted schema names to bypass normal quoting mechanisms, potentially resulting in role revocation failures or, in less common cases, SQL injection executed with the privileges of the OpenBao management user. The injection could compromise confidentiality, integrity, or availability of the database data.", "risk_and_exploitability": "The CVSS score of 4.6 indicates moderate severity, and the EPSS score is unavailable, suggesting no readily available data on exploitation likelihood. Because the vulnerability requires exploitation of the OpenBao API or management path, it is likely to be an internal or authenticated vector rather than a fully remote public one. The vulnerability is not listed in CISA\u2019s KEV catalog, which reduces the urgency of immediate action but still warrants remediation due to the potential for privilege escalation."}}}}, "created": "2026-04-21T02:45:25.754227+00:00", "updated": "2026-04-21T15:37:55.179331+00:00", "vendors": ["openbao", "openbao$PRODUCT$openbao"]}