An unauthenticated attacker can hijack victim sessions in OpenBao by exploiting a lack of user confirmation in the OIDC login flow, leading to unauthorized access to secrets.

When using JWT/OIDC with callback_mode set to direct, OpenBao does not prompt for user confirmation. An unauthenticated attacker can initiate an authentication request and trick a victim into visiting a URL, which automatically logs the victim into the attacker's session, allowing the attacker to poll for and obtain the resulting token.

This vulnerability allows for the unauthorized acquisition of OpenBao tokens, which are used to access sensitive secrets and credentials. Compromise of a secrets management system can lead to a catastrophic breach of the entire infrastructure. The CVSS score of 9.6 reflects the ease of exploitation and the critical nature of the compromised data.

Immediate Action: Upgrade OpenBao to version 2.5.2 or later, which introduces a mandatory confirmation screen for direct type logins.

Proactive Monitoring: Audit access logs for any OIDC login attempts using callback_mode: direct and review session creation patterns for anomalies.

Compensating Controls: As a workaround, administrators can remove any roles configured with callback_mode=direct or enforce confirmation on the identity provider (OIDC issuer) side.

Public Exploit Available: false

The primary remediation is to update OpenBao to version 2.5.2 immediately. Given that this affects the core security of a secrets management platform, the update should be treated as high priority. If patching is delayed, the suggested workaround of disabling direct callback mode must be implemented immediately.