CVE-2025-54996

Name of the Vulnerable Software and Affected Versions OpenBao versions 2.3.1 and below

Description OpenBao is a software solution for managing, storing, and distributing sensitive data. In affected versions, accounts with access to highly-privileged identity entity systems in root namespaces could increase their scope directly to the root policy. The identity system allowed adding arbitrary policies with capability grants on arbitrary paths, but the root policy was restricted to manual generation. The global root policy was not accessible from child namespaces.

Recommendations OpenBao versions prior to 2.3.2: Upgrade to version 2.3.2 or later to resolve this issue. As a temporary workaround, use of denied parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.