CVE-2025-59048

Name of the Vulnerable Software and Affected Versions OpenBao AWS Plugin versions prior to 0.1.1

Description The OpenBao AWS Plugin generates AWS access credentials based on IAM policies. Versions of the plugin prior to 0.1.1 are susceptible to cross-account IAM role Impersonation within the AWS auth method. This allows an IAM role from an untrusted AWS account to authenticate by assuming the identity of a role with the same name in a trusted account, potentially resulting in unauthorized access. This issue affects users of the auth-aws plugin operating in multi-account AWS environments where IAM role names are not uniquely assigned across accounts.

Recommendations Update to OpenBao AWS Plugin version 0.1.1 or later. Ensure IAM role names are unique across all AWS accounts that interact with your OpenBao environment. Audit for any duplicate IAM roles.