Back to list

OpenBao's Namespace Deletion May Not Delete Data Properly — CVE-2026-42186

GHSA · GitHub · CVE-2026-42186

ID
CVE-2026-42186
Date
Updated
Activity
Source
GHSA
Vendor
GitHub
Threat
low
CVSS
2.3

Summary

### Impact When OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. ### Patches This will be patched in OpenBao v2.5.3. ### Workarounds Users may manually remove mounts prior to deleting the namespace. Audit logs may be used to…

Product

go: github.com/openbao/openbao

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GHSA 2026-W20