Skip to main content

OpenBao CVE-2026-55775

LOW
Improper Authorization (CWE-285)
2026-06-19 https://github.com/openbao/openbao GHSA-mwr2-wmgp-crj6

Severity by source

vuln.today AI
9.9 CRITICAL

Low-privilege authenticated token required (PR:L); scope changes from child to parent namespace (S:C); namespace deletion yields high integrity and availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:H

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:48 vuln.today
Analysis Generated
Jun 19, 2026 - 23:48 vuln.today

DescriptionCVE.org

Summary

A user that is granted namespace management (/sys/namespaces) capabilities within a non-root namespace ("the victim namespace") can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself.

Details

Several endpoints under /sys/namespaces/* accept a namespace path segment that is canonicalized and then appended to the path of the sys mount's containing namespace (set via path prefix or X-Vault-Namespace header) to determine the absolute path of the namespace to operate on.

Given the special namespace path "root" canonicalizes to en empty path (""), when passed as /sys/namespaces/root, the resulting absolute namespace path remains equal to the sys mount's containing namespace. Given ACLs are evaluated before namespace path canonicalization, this allows users with capabilities on /sys/namespaces/root within any given namespace to operate on the namespace itself instead.

Impact

Users that were granted the required capabilities can abuse this vulnerability to:

  • Look up
  • Delete
  • Lock
  • Patch custom metadata

against the namespace containing the system backend they can manage sys/namespaces/root in. The exact range of operations that can be performed depends on the specific capabilities granted on said path and any sub-paths such as /api-lock.

Notably, the root namespace is immutable and cannot be modified, deleted or locked, and is thus unaffected. Also note that users can only abuse this vulnerability to operate on the direct parent or "containing" namespace relative to their capabilities, not arbitrary namespaces.

Patch

This will be fixed in OpenBao v2.5.5.

PoC

Start a development server:

sh
bao server -dev

Create a namespace:

sh
bao namespace create victim

This will be the namespace we gain unauthorized management of.

Create a policy that allows management of namespaces, _inside_ of the victim namespace.

sh
bao policy write -namespace=victim namespace-management - <<EOF
path "sys/namespaces/*" {
	capabilities = ["read", "update", "patch", "delete"]
}
EOF

Then create a token with above policy attached:

sh
export BAO_TOKEN=$(bao token create -namespace=victim -policy=namespace-management -field=token)

Operate on the victim's namespace using the token, for example by outright deleting it:

sh
bao namespace delete -namespace=victim root

AnalysisAI

Namespace path canonicalization in OpenBao (versions 0.1.0 through 2.5.4) allows an authenticated token-holder with delegated namespace management capabilities inside a non-root namespace to operate on the containing (parent) namespace itself, rather than only its children. By passing the reserved literal string 'root' as the target namespace path to any /sys/namespaces/* endpoint, the path resolves to the containing namespace after canonicalization - because ACL evaluation occurs before that resolution, the access check passes on the child-scoped policy while the actual operation targets the parent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain token with sys/namespaces/* policy inside victim namespace
Delivery
Submit DELETE /v1/sys/namespaces/root with X-Vault-Namespace: victim header
Exploit
ACL evaluation passes against literal 'root' path (policy match)
Execution
Canonicalize('root') resolves to empty string
Persist
Absolute target path equals containing namespace
Impact
Victim namespace deleted or locked

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated OpenBao token that has been granted at least one of `read`, `update`, `patch`, or `delete` capabilities on the path `sys/namespaces/*` or specifically `sys/namespaces/root` within a non-root namespace - this is the standard policy path assigned to delegated namespace administrators. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score has been assigned; the assessed vector is independently derived from the vulnerability description and patch diff. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A service account token bound to a policy granting `read`, `delete`, `patch`, and `update` on `sys/namespaces/*` within the 'victim' namespace issues the API call `DELETE /v1/sys/namespaces/root` with the `X-Vault-Namespace: victim` header. OpenBao's ACL engine approves the request (the policy covers `sys/namespaces/root`), then `Canonicalize('root')` returns an empty string, resolving the target to the 'victim' namespace itself. …
Remediation Upgrade to OpenBao v2.5.5 or later (https://github.com/openbao/openbao/releases/tag/v2.5.5), which incorporates fix commit d3c1cc64b1ae introducing the `ParseName()` validation function and removing 'root' from the canonicalization alias map. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Share

CVE-2026-55775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy