CVE-2025-64761

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.4.4

Description OpenBao is an identity-based secrets management system. A privileged operator could leverage the identity group subsystem to add a root policy to a group identity group, potentially escalating their own or another user's permissions. This occurs when an operator in the root namespace has access to identity/groups endpoints and lacks policy access. An operator with policy access could also create or modify a policy to grant root-equivalent permissions using the sudo capability. The issue involves the /identity/groups API endpoint.

Recommendations Update to version 2.4.4 or later.