OpenBao CVE-2026-55775
LOWSeverity by source
Low-privilege authenticated token required (PR:L); scope changes from child to parent namespace (S:C); namespace deletion yields high integrity and availability impact.
Lifecycle Timeline
2DescriptionCVE.org
Summary
A user that is granted namespace management (/sys/namespaces) capabilities within a non-root namespace ("the victim namespace") can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself.
Details
Several endpoints under /sys/namespaces/* accept a namespace path segment that is canonicalized and then appended to the path of the sys mount's containing namespace (set via path prefix or X-Vault-Namespace header) to determine the absolute path of the namespace to operate on.
Given the special namespace path "root" canonicalizes to en empty path (""), when passed as /sys/namespaces/root, the resulting absolute namespace path remains equal to the sys mount's containing namespace. Given ACLs are evaluated before namespace path canonicalization, this allows users with capabilities on /sys/namespaces/root within any given namespace to operate on the namespace itself instead.
Impact
Users that were granted the required capabilities can abuse this vulnerability to:
- Look up
- Delete
- Lock
- Patch custom metadata
against the namespace containing the system backend they can manage sys/namespaces/root in. The exact range of operations that can be performed depends on the specific capabilities granted on said path and any sub-paths such as /api-lock.
Notably, the root namespace is immutable and cannot be modified, deleted or locked, and is thus unaffected. Also note that users can only abuse this vulnerability to operate on the direct parent or "containing" namespace relative to their capabilities, not arbitrary namespaces.
Patch
This will be fixed in OpenBao v2.5.5.
PoC
Start a development server:
bao server -devCreate a namespace:
bao namespace create victimThis will be the namespace we gain unauthorized management of.
Create a policy that allows management of namespaces, _inside_ of the victim namespace.
bao policy write -namespace=victim namespace-management - <<EOF
path "sys/namespaces/*" {
capabilities = ["read", "update", "patch", "delete"]
}
EOFThen create a token with above policy attached:
export BAO_TOKEN=$(bao token create -namespace=victim -policy=namespace-management -field=token)Operate on the victim's namespace using the token, for example by outright deleting it:
bao namespace delete -namespace=victim rootAnalysisAI
Namespace path canonicalization in OpenBao (versions 0.1.0 through 2.5.4) allows an authenticated token-holder with delegated namespace management capabilities inside a non-root namespace to operate on the containing (parent) namespace itself, rather than only its children. By passing the reserved literal string 'root' as the target namespace path to any /sys/namespaces/* endpoint, the path resolves to the containing namespace after canonicalization - because ACL evaluation occurs before that resolution, the access check passes on the child-scoped policy while the actual operation targets the parent. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated OpenBao token that has been granted at least one of `read`, `update`, `patch`, or `delete` capabilities on the path `sys/namespaces/*` or specifically `sys/namespaces/root` within a non-root namespace - this is the standard policy path assigned to delegated namespace administrators. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score has been assigned; the assessed vector is independently derived from the vulnerability description and patch diff. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A service account token bound to a policy granting `read`, `delete`, `patch`, and `update` on `sys/namespaces/*` within the 'victim' namespace issues the API call `DELETE /v1/sys/namespaces/root` with the `X-Vault-Namespace: victim` header. OpenBao's ACL engine approves the request (the policy covers `sys/namespaces/root`), then `Canonicalize('root')` returns an empty string, resolving the target to the 'victim' namespace itself. … |
| Remediation | Upgrade to OpenBao v2.5.5 or later (https://github.com/openbao/openbao/releases/tag/v2.5.5), which incorporates fix commit d3c1cc64b1ae introducing the `ParseName()` validation function and removing 'root' from the canonicalization alias map. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault
PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev
Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mwr2-wmgp-crj6