EUVD-2025-19111
GHSA-prpj-rchp-9j5h
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners. A patch is available at commit fe75468822a22a88318c6079425357a02ae5b77b. In a future OpenBao release communicated on OpenBao's website, the maintainers will set this to `true` for all users and provide an authenticated alternative. As a workaround, if an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.
Analysis
OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery rekey endpoints that allows attackers to cancel critical key management operations without authentication or audit logging. This affects organizations using OpenBao for secrets management, and the high CVSS 7.5 score reflects the availability impact, though the vulnerability requires no special privileges or user interaction to exploit.
Technical Context
OpenBao is a secrets management and data protection solution that manages cryptographic keys, certificates, and sensitive credentials. The vulnerability exists in the rekey operation endpoints, which are used to rotate root keys and recovery keys—critical administrative functions in a secrets vault. The root cause is classified under CWE-20 (Improper Input Validation), indicating insufficient validation of requests to these administrative endpoints. These endpoints should require authentication and authorization but instead accept unauthenticated cancellation requests. This is a design/implementation flaw where security controls (authentication, authorization, audit logging) are missing from sensitive API endpoints that modify vault state. The affected product is OpenBao (fork/derivative of HashiCorp Vault), with specific impact on versions prior to 2.3.0.
Affected Products
OpenBao (< 2.3.0)
Remediation
Upgrade OpenBao to version 2.3.0 or later; details: Apply patch from commit fe75468822a22a88318c6079425357a02ae5b77b Workaround (Immediate - for v2.2.0+): Set configuration option `disable_unauthed_rekey_endpoints=true` in OpenBao configuration; details: This disables the vulnerable rekey endpoints on global listeners. Requires restart of OpenBao service. Workaround (Network-based): Restrict access to rekey endpoints via network controls; details: If an active proxy, load balancer, or firewall sits in front of OpenBao, configure access controls to deny requests to the root rekey and recovery rekey endpoints from unauthorized IP ranges. Specifically block HTTP requests to endpoints like /v1/sys/rekey/init, /v1/sys/rekey/cancel, /v1/sys/rekey-recovery-key/init, /v1/sys/rekey-recovery-key/cancel from untrusted sources. Future Mitigation: Awaiting future OpenBao release; details: Maintainers will set disable_unauthed_rekey_endpoints=true by default for all users and provide an authenticated alternative to rekey endpoints, as announced on OpenBao's website.
Priority Score
Vendor Status
Debian
Bug #1069794| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today