Openbao
Monthly
OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tokens belonging to users in other tenants if the token accessor is disclosed, bypassing the multi-tenant isolation guarantee. The vulnerability requires high privilege level and user interaction but undermines the core security boundary of OpenBao's namespace-based multi-tenancy model. No active exploitation has been reported.
Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim disk resources by serving a crafted container image. The vulnerability exists in ExtractPluginFromImage() which writes decompressed tar streams without size bounds, and validates SHA256 integrity only after the full file is written to disk. An attacker controlling or compromising the OCI registry can replace legitimate plugin images with malicious compressed payloads that decompress to arbitrarily large files, causing denial of service. OpenBao versions prior to 2.5.3 are affected; the CVSS score of 3.1 reflects low impact (availability only) but the attack requires the victim to manually trigger plugin extraction with a compromised registry configured.
OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery rekey endpoints that allows attackers to cancel critical key management operations without authentication or audit logging. This affects organizations using OpenBao for secrets management, and the high CVSS 7.5 score reflects the availability impact, though the vulnerability requires no special privileges or user interaction to exploit.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tokens belonging to users in other tenants if the token accessor is disclosed, bypassing the multi-tenant isolation guarantee. The vulnerability requires high privilege level and user interaction but undermines the core security boundary of OpenBao's namespace-based multi-tenancy model. No active exploitation has been reported.
Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim disk resources by serving a crafted container image. The vulnerability exists in ExtractPluginFromImage() which writes decompressed tar streams without size bounds, and validates SHA256 integrity only after the full file is written to disk. An attacker controlling or compromising the OCI registry can replace legitimate plugin images with malicious compressed payloads that decompress to arbitrarily large files, causing denial of service. OpenBao versions prior to 2.5.3 are affected; the CVSS score of 3.1 reflects low impact (availability only) but the attack requires the victim to manually trigger plugin extraction with a compromised registry configured.
OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery rekey endpoints that allows attackers to cancel critical key management operations without authentication or audit logging. This affects organizations using OpenBao for secrets management, and the high CVSS 7.5 score reflects the availability impact, though the vulnerability requires no special privileges or user interaction to exploit.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.