CVE-2025-54996
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.
EPSS 0.23% · 46.2th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| openbao | openbao | < 2.3.2, 0 |
| github.com | openbao/openbao | 0.1.0, 0 |
Exploit Intelligence
Timeline
- Jan 21, 1970 Fix PR Merged
- Jan 21, 1970 Security Advisory
- Aug 8, 2025 CVE Published
- Aug 9, 2025 EPSS Score
- Aug 9, 2025 Coalition ESS Score
- Aug 11, 2025 CVE Updated
- Aug 11, 2025 Coalition ESS Score
- Aug 12, 2025 Coalition ESS Score
- Aug 13, 2025 Coalition ESS Score
- Aug 17, 2025 EPSS Score
- Aug 22, 2025 Coalition ESS Score
- Aug 26, 2025 EPSS Score
References
- https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc url
- https://github.com/openbao/openbao/pull/1627 url
- https://github.com/openbao/openbao/releases/tag/v2.3.2 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-54996 advisory
- https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f url
- https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032 url
- https://github.com/openbao/openbao package
- https://nvd.nist.gov/vuln/detail/cve-2025-5999 advisory