CVE-2025-64761
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-12-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.4.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenBao allows a privileged operator to escalate permissions by adding a root policy to an identity group via the identity group subsystem. Specifically, if an operator in the root namespace has access to identity/groups endpoints but lacks policy access, they can still escalate privileges. Operators with policy access could also create or modify policies to grant root-equivalent permissions through the sudo capability. This issue was fixed in version 2.4.4.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized privilege escalation, allowing an attacker or malicious operator to gain root-equivalent permissions within the OpenBao system. This could result in unauthorized access to sensitive secrets and potentially compromise the entire secrets management system's security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade OpenBao to version 2.4.4 or later, as this version contains the patch that fixes the privilege escalation vulnerability. Additionally, review and restrict operator access to identity/groups endpoints, especially for operators in the root namespace without policy access, to minimize risk until the upgrade is applied.