Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners. A patch is available at commit fe75468822a22a88318c6079425357a02ae5b77b. In a future OpenBao release communicated on OpenBao's website, the maintainers will set this to true for all users and provide an authenticated alternative. As a workaround, if an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.
AnalysisAI
OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery rekey endpoints that allows attackers to cancel critical key management operations without authentication or audit logging. This affects organizations using OpenBao for secrets management, and the high CVSS 7.5 score reflects the availability impact, though the vulnerability requires no special privileges or user interaction to exploit.
Technical ContextAI
OpenBao is a secrets management and data protection solution that manages cryptographic keys, certificates, and sensitive credentials. The vulnerability exists in the rekey operation endpoints, which are used to rotate root keys and recovery keys—critical administrative functions in a secrets vault. The root cause is classified under CWE-20 (Improper Input Validation), indicating insufficient validation of requests to these administrative endpoints. These endpoints should require authentication and authorization but instead accept unauthenticated cancellation requests. This is a design/implementation flaw where security controls (authentication, authorization, audit logging) are missing from sensitive API endpoints that modify vault state. The affected product is OpenBao (fork/derivative of HashiCorp Vault), with specific impact on versions prior to 2.3.0.
RemediationAI
Upgrade OpenBao to version 2.3.0 or later; details: Apply patch from commit fe75468822a22a88318c6079425357a02ae5b77b Workaround (Immediate - for v2.2.0+): Set configuration option disable_unauthed_rekey_endpoints=true in OpenBao configuration; details: This disables the vulnerable rekey endpoints on global listeners. Requires restart of OpenBao service. Workaround (Network-based): Restrict access to rekey endpoints via network controls; details: If an active proxy, load balancer, or firewall sits in front of OpenBao, configure access controls to deny requests to the root rekey and recovery rekey endpoints from unauthorized IP ranges. Specifically block HTTP requests to endpoints like /v1/sys/rekey/init, /v1/sys/rekey/cancel, /v1/sys/rekey-recovery-key/init, /v1/sys/rekey-recovery-key/cancel from untrusted sources. Future Mitigation: Awaiting future OpenBao release; details: Maintainers will set disable_unauthed_rekey_endpoints=true by default for all users and provide an authenticated alternative to rekey endpoints, as announced on OpenBao's website.
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity
OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability i
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a den
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi
Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim dis
OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tok
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allVendor StatusVendor
Debian
Bug #1069794| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19111
GHSA-prpj-rchp-9j5h