CVE-2025-59048 – OpenBao's AWS authentication plugin allows IAM ... (How to Fix)

Q: What is the severity of CVE-2025-59048?

CVE-2025-59048 has a CVSS score of 8.1 (HIGH). OpenBao's AWS authentication plugin allows IAM roles from untrusted AWS accounts to impersonate roles with the same name in trusted accounts, granting unauthorized access. This affects all users of the auth-aws plugin in multi-account AWS environments where IAM role names may not be unique across accounts. The vulnerability enables cross-account privilege escalation.

📋 TL;DR

OpenBao's AWS authentication plugin allows IAM roles from untrusted AWS accounts to impersonate roles with the same name in trusted accounts, granting unauthorized access. This affects all users of the auth-aws plugin in multi-account AWS environments where IAM role names may not be unique across accounts. The vulnerability enables cross-account privilege escalation.

💻 Affected Systems

Products:

OpenBao auth-aws plugin

Versions: All versions prior to 0.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the AWS auth method in multi-account AWS environments. Single-account deployments are not vulnerable.

📦 What is this software?

Aws Plugin by Openbao

View all CVEs affecting Aws Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with an IAM role in any AWS account could impersonate a high-privilege role in a trusted account, gaining full administrative access to OpenBao secrets and potentially downstream systems.

🟠

Likely Case

Accidental or intentional authentication by IAM roles from untrusted accounts with matching role names, leading to unauthorized access to secrets and sensitive data.

🟢

If Mitigated

Limited impact if unique IAM role names are enforced across all AWS accounts, though this requires careful configuration management.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an IAM role in any AWS account with a name matching a trusted role. No special tools or advanced techniques needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.1

Vendor Advisory: https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7

Restart Required: Yes

Instructions:

1. Update OpenBao auth-aws plugin to version 0.1.1 or later. 2. Restart OpenBao service. 3. Verify plugin version is updated.

🔧 Temporary Workarounds

Enforce unique IAM role names

all

Ensure IAM role names are unique across all AWS accounts that could interact with OpenBao

# Manual process: Audit all AWS accounts for duplicate IAM role names
# Use AWS CLI: aws iam list-roles --query 'Roles[*].RoleName' --output text | sort | uniq -d

🧯 If You Can't Patch

Implement strict IAM role naming conventions across all AWS accounts
Add additional authentication layers or network segmentation to limit access to OpenBao

🔍 How to Verify

Check if Vulnerable:

Check auth-aws plugin version: openbao plugin list | grep auth-aws

Check Version:

openbao plugin list | grep auth-aws

Verify Fix Applied:

Confirm plugin version is 0.1.1 or higher: openbao plugin list | grep auth-aws

📡 Detection & Monitoring

Log Indicators:

Authentication attempts from unexpected AWS account IDs
Multiple authentication events for same role name from different accounts

Network Indicators:

AWS STS AssumeRole calls from untrusted accounts to OpenBao endpoints

SIEM Query:

source="openbao" AND (event_type="auth" OR event_type="login") AND aws_account_id NOT IN [trusted_account_list]

📊 Metadata

CVE ID: CVE-2025-59048

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-694

EPSS Score: 0.06% exploit probability (17th percentile)

Published: October 23, 2025

Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59048, you might also want to check these: