CVE-2025-64761
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-25

Last updated on: 2025-12-01

Assigner: GitHub, Inc.

Description
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-25
Last Modified
2025-12-01
Generated
2026-06-16
AI Q&A
2025-11-25
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64761
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbao openbao to 2.4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OpenBao allows a privileged operator to escalate permissions by adding a root policy to an identity group via the identity group subsystem. Specifically, if an operator in the root namespace has access to identity/groups endpoints but lacks policy access, they can still escalate privileges. Operators with policy access could also create or modify policies to grant root-equivalent permissions through the sudo capability. This issue was fixed in version 2.4.4.

Impact Analysis

The vulnerability can lead to unauthorized privilege escalation, allowing an attacker or malicious operator to gain root-equivalent permissions within the OpenBao system. This could result in unauthorized access to sensitive secrets and potentially compromise the entire secrets management system's security.

Mitigation Strategies

Upgrade OpenBao to version 2.4.4 or later, as this version contains the patch that fixes the privilege escalation vulnerability. Additionally, review and restrict operator access to identity/groups endpoints, especially for operators in the root namespace without policy access, to minimize risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart