Skip to main content

Openbao CVE-2025-52894

| EUVDEUVD-2025-19111 HIGH
Improper Input Validation (CWE-20)
2025-06-25 security-advisories@github.com GHSA-prpj-rchp-9j5h
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19111
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
Patch released
Mar 15, 2026 - 23:19 nvd
Patch available
CVE Published
Jun 25, 2025 - 17:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners. A patch is available at commit fe75468822a22a88318c6079425357a02ae5b77b. In a future OpenBao release communicated on OpenBao's website, the maintainers will set this to true for all users and provide an authenticated alternative. As a workaround, if an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

AnalysisAI

OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery rekey endpoints that allows attackers to cancel critical key management operations without authentication or audit logging. This affects organizations using OpenBao for secrets management, and the high CVSS 7.5 score reflects the availability impact, though the vulnerability requires no special privileges or user interaction to exploit.

Technical ContextAI

OpenBao is a secrets management and data protection solution that manages cryptographic keys, certificates, and sensitive credentials. The vulnerability exists in the rekey operation endpoints, which are used to rotate root keys and recovery keys—critical administrative functions in a secrets vault. The root cause is classified under CWE-20 (Improper Input Validation), indicating insufficient validation of requests to these administrative endpoints. These endpoints should require authentication and authorization but instead accept unauthenticated cancellation requests. This is a design/implementation flaw where security controls (authentication, authorization, audit logging) are missing from sensitive API endpoints that modify vault state. The affected product is OpenBao (fork/derivative of HashiCorp Vault), with specific impact on versions prior to 2.3.0.

RemediationAI

Upgrade OpenBao to version 2.3.0 or later; details: Apply patch from commit fe75468822a22a88318c6079425357a02ae5b77b Workaround (Immediate - for v2.2.0+): Set configuration option disable_unauthed_rekey_endpoints=true in OpenBao configuration; details: This disables the vulnerable rekey endpoints on global listeners. Requires restart of OpenBao service. Workaround (Network-based): Restrict access to rekey endpoints via network controls; details: If an active proxy, load balancer, or firewall sits in front of OpenBao, configure access controls to deny requests to the root rekey and recovery rekey endpoints from unauthorized IP ranges. Specifically block HTTP requests to endpoints like /v1/sys/rekey/init, /v1/sys/rekey/cancel, /v1/sys/rekey-recovery-key/init, /v1/sys/rekey-recovery-key/cancel from untrusted sources. Future Mitigation: Awaiting future OpenBao release; details: Maintainers will set disable_unauthed_rekey_endpoints=true by default for all users and provide an authenticated alternative to rekey endpoints, as announced on OpenBao's website.

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2025-54997 CRITICAL
9.1 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2025-64761 HIGH
7.5 Nov 25

OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-8185 HIGH
7.5 Oct 31

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a den

CVE-2024-9180 HIGH
7.2 Oct 10

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or

CVE-2025-54998 MEDIUM
5.3 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2025-4166 MEDIUM
4.5 May 02

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in

CVE-2025-52893 MEDIUM
4.5 Jun 25

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2026-39396 LOW
3.1 Apr 21

Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim dis

CVE-2026-40264 LOW
2.0 Apr 21

OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tok

CVE-2025-55003 MEDIUM
5.7 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

Vendor StatusVendor

Debian

Bug #1069794
openbao
Release Status Fixed Version Urgency
open - -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed

Share

CVE-2025-52894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy