OpenBao CVE-2026-55776
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network API access required with low-privilege write token (PR:L); single crafted request with no complexity (AC:L); pure availability impact as server process terminates with no data exposure.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to transit/keys/* can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-*, ecdsa-*, ed25519) with derived: true. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.
Mount the transit engine:
curl -sS -X POST -H "X-Vault-Token: root" \ -d '{"type":"transit"}' \ http://127.0.0.1:8200/v1/sys/mounts/transit
Trigger the crash:
curl -sS -w '\nHTTP %{http_code}\n' -X POST \ -H "X-Vault-Token: root" \ -H "Content-Type: application/json" \ -d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \ http://127.0.0.1:8200/v1/transit/keys/some-key-name
You can try with both JSON or HCL It will crash the entire cluster.
Observed: HTTP 000 curl: (52) Empty reply from server
$ docker ps -a --filter name=openbao STATUS: Exited (2)
Root Cause (Hypothesis) Key-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When derived: true is supplied alongside an asymmetric type, the creation path likely panics on a missing derived-key field or invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit policy.go / key-creation path.
Suggested fix: Validate the (type, derived) combination at the top of the create-key handler. Reject with a 400 if derived: true is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305, xchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.
AnalysisAI
OpenBao's transit secrets engine crashes the entire server process when an authenticated caller submits a key-creation request combining an asymmetric key type (rsa-*, ecdsa-*, ed25519) with the derived: true parameter. Affected versions confirmed as 2.5.2 and 2.5.4, with earlier versions also likely vulnerable per the GHSA advisory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a valid OpenBao authentication token with write access to the transit/keys/* path - enforced by OpenBao ACL policy; (2) the transit secrets engine to be mounted (default mount path /transit or any custom path); (3) the attacker to supply both an asymmetric key type (rsa-2048, rsa-3072, rsa-4096, ecdsa-p256, ecdsa-p384, ecdsa-p521, or ed25519) AND derived: true in the same key-creation request body. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) yields a score of 6.5, which accurately reflects the attack profile: network-accessible via HTTP API, low attack complexity once authenticated, requires low-privilege credentials (write access to transit/keys/*), and delivers complete availability loss through server crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a valid OpenBao token with write permission to transit/keys/* - such as a compromised service account or a malicious insider - issues a single HTTP POST to /v1/transit/keys/<any-name> with the JSON body {"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}. The server process panics immediately, returns no HTTP response (HTTP 000), and exits with code 2, taking the entire OpenBao cluster offline. … |
| Remediation | Upgrade to OpenBao v2.5.5, released at https://github.com/openbao/openbao/releases/tag/v2.5.5, which incorporates fix commit db57c62602b25da12951f3f0edb888e7c4da61e5 from PR #3309 (https://github.com/openbao/openbao/pull/3309). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-8w8f-r2xv-4q4j