{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-21T00:19:39Z",
  "bugzilla" : {
    "description" : "OpenBao: OpenBao: SQL injection via improper database quoting during PostgreSQL role revocation",
    "id" : "2459953",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2459953"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-89",
  "details" : [ "A flaw was found in OpenBao. When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, it failed to use proper database quoting on schema names. This oversight could lead to role revocation failures or, in rarer instances, allow a management user to perform SQL injection." ],
  "package_state" : [ {
    "product_name" : "Cryostat 4",
    "fix_state" : "Not affected",
    "package_name" : "cryostat/cryostat-storage-rhel9",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-39946\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39946\nhttps://github.com/openbao/openbao/security/advisories/GHSA-6vgr-cp5c-ffx3" ],
  "name" : "CVE-2026-39946",
  "mitigation" : {
    "value" : "To mitigate this issue, audit table schemas within the PostgreSQL database used by OpenBao. Ensure that database users are restricted from creating new schemas and granting privileges on them. This operational control helps prevent the conditions that could lead to SQL injection during role privilege revocation. A restart or service reload of OpenBao may be required for these changes to take full effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}