Skip to main content

OpenBao CVE-2026-55776

MEDIUM
Reachable Assertion (CWE-617)
2026-06-19 https://github.com/openbao/openbao GHSA-8w8f-r2xv-4q4j
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network API access required with low-privilege write token (PR:L); single crafted request with no complexity (AC:L); pure availability impact as server process terminates with no data exposure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:47 vuln.today
Analysis Generated
Jun 19, 2026 - 23:47 vuln.today

DescriptionGitHub Advisory

On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to transit/keys/* can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-*, ecdsa-*, ed25519) with derived: true. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.

Mount the transit engine:

curl -sS -X POST -H "X-Vault-Token: root" \ -d '{"type":"transit"}' \ http://127.0.0.1:8200/v1/sys/mounts/transit

Trigger the crash:

curl -sS -w '\nHTTP %{http_code}\n' -X POST \ -H "X-Vault-Token: root" \ -H "Content-Type: application/json" \ -d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \ http://127.0.0.1:8200/v1/transit/keys/some-key-name

You can try with both JSON or HCL It will crash the entire cluster.

Observed: HTTP 000 curl: (52) Empty reply from server

$ docker ps -a --filter name=openbao STATUS: Exited (2)

Root Cause (Hypothesis) Key-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When derived: true is supplied alongside an asymmetric type, the creation path likely panics on a missing derived-key field or invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit policy.go / key-creation path.

Suggested fix: Validate the (type, derived) combination at the top of the create-key handler. Reject with a 400 if derived: true is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305, xchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.

AnalysisAI

OpenBao's transit secrets engine crashes the entire server process when an authenticated caller submits a key-creation request combining an asymmetric key type (rsa-*, ecdsa-*, ed25519) with the derived: true parameter. Affected versions confirmed as 2.5.2 and 2.5.4, with earlier versions also likely vulnerable per the GHSA advisory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege OpenBao token with transit/keys/* write access
Delivery
Confirm transit engine is mounted (or mount it if permitted)
Exploit
POST crafted key-creation request with asymmetric type and derived: true
Execution
Server Go runtime panics on invalid type assertion
Persist
OpenBao process exits (code 2)
Impact
Entire cluster availability lost

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a valid OpenBao authentication token with write access to the transit/keys/* path - enforced by OpenBao ACL policy; (2) the transit secrets engine to be mounted (default mount path /transit or any custom path); (3) the attacker to supply both an asymmetric key type (rsa-2048, rsa-3072, rsa-4096, ecdsa-p256, ecdsa-p384, ecdsa-p521, or ed25519) AND derived: true in the same key-creation request body. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) yields a score of 6.5, which accurately reflects the attack profile: network-accessible via HTTP API, low attack complexity once authenticated, requires low-privilege credentials (write access to transit/keys/*), and delivers complete availability loss through server crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a valid OpenBao token with write permission to transit/keys/* - such as a compromised service account or a malicious insider - issues a single HTTP POST to /v1/transit/keys/<any-name> with the JSON body {"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}. The server process panics immediately, returns no HTTP response (HTTP 000), and exits with code 2, taking the entire OpenBao cluster offline. …
Remediation Upgrade to OpenBao v2.5.5, released at https://github.com/openbao/openbao/releases/tag/v2.5.5, which incorporates fix commit db57c62602b25da12951f3f0edb888e7c4da61e5 from PR #3309 (https://github.com/openbao/openbao/pull/3309). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP5 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP6 Affected
openSUSE Leap 15.5 Affected
openSUSE Leap 15.6 Affected

Share

CVE-2026-55776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy