logo

Database

Excessive privileges In github.com/openbao/openbao

Description

OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation

Impact

Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:

    An operator in the root namespace has access to identity/groups endpoints.

    An operator does not have policy access.

Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.

Patches

Patched in version 2.4.4.

Workarounds

Users should audit the use of identity subsystem and deny operators access if it is not in use.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-647612. NVD-2025-647613. OSV-2025-647614. GHSA-7ff4-jw48-34365. GCVE-2025-64761

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-34362. https://github.com/openbao/openbao/pull/21433. https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e54. https://github.com/openbao/openbao/commit/747a1378c2756f86296ad9450f74f6faeecc2eb75. https://github.com/openbao/openbao/releases/tag/v2.4.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.