CVE-2025-54996
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenBao versions 2.3.1 and below allows accounts with access to highly-privileged identity entity systems in root namespaces to escalate their privileges directly to the root policy. Normally, the root policy is restricted and can only be generated manually using unseal or recovery key shares, and is not accessible from child namespaces. However, due to this issue, these accounts could add arbitrary policies containing capability grants on arbitrary paths, effectively increasing their scope to the root policy. This issue is fixed in version 2.3.2.
How can this vulnerability impact me? :
This vulnerability can lead to a serious security breach by allowing privileged accounts to escalate their permissions to the root policy level, potentially granting them full control over sensitive data such as secrets, certificates, and keys managed by OpenBao. This could result in unauthorized access, modification, or deletion of critical security assets, compromising confidentiality, integrity, and availability of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade OpenBao to version 2.3.2 or later. As a workaround, apply denied_parameters in any policy that has access to the affected identity endpoints on identity entities to prohibit this type of attack.