CVE-2025-64761
📋 TL;DR
OpenBao versions before 2.4.4 contain a privilege escalation vulnerability where privileged operators without policy access can add root policies to identity groups, granting root-equivalent permissions. This affects operators in the root namespace with access to identity/groups endpoints but without policy access. The vulnerability allows unauthorized privilege escalation within the identity management system.
💻 Affected Systems
- OpenBao
📦 What is this software?
Openbao by Openbao
⚠️ Risk & Real-World Impact
Worst Case
An attacker with operator privileges in the root namespace could escalate to root-equivalent permissions, gaining full control over the OpenBao instance, accessing all secrets, and compromising the entire secrets management infrastructure.
Likely Case
A malicious or compromised operator could elevate their own or another user's permissions beyond intended limits, potentially accessing sensitive secrets and configuration data they shouldn't have access to.
If Mitigated
With proper access controls limiting operator privileges and monitoring of identity group modifications, the impact would be limited to unauthorized policy assignments that could be detected and reversed.
🎯 Exploit Status
Exploitation requires authenticated operator access with specific privileges. The vulnerability is straightforward to exploit once the attacker has the required access level.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.4
Vendor Advisory: https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436
Restart Required: Yes
Instructions:
1. Backup your OpenBao configuration and data. 2. Stop the OpenBao service. 3. Upgrade to OpenBao version 2.4.4 or later. 4. Restart the OpenBao service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict Identity Group Endpoint Access
allLimit access to identity/groups endpoints to only operators who require it for their duties.
# Configure OpenBao policies to restrict identity/groups endpoint access
# Example: Create policy denying identity/groups/* to non-essential operators
Implement Least Privilege for Operators
allEnsure operators in root namespace have only the minimum necessary permissions.
# Review and audit all operator policies
# Remove unnecessary permissions from operator policies
🧯 If You Can't Patch
- Implement strict access controls to limit which operators can access identity/groups endpoints
- Enable detailed auditing and monitoring of all identity group modifications and policy assignments
🔍 How to Verify
Check if Vulnerable:
Check if OpenBao version is earlier than 2.4.4 and if operators in root namespace have access to identity/groups endpoints without policy access.Check Version:
bao versionVerify Fix Applied:
Verify OpenBao version is 2.4.4 or later and test that operators without policy access cannot add root policies to identity groups.📡 Detection & Monitoring
Log Indicators:
- Unauthorized or suspicious modifications to identity groups
- Root policy assignments to identity groups by operators without policy access
- Multiple failed attempts to access identity/groups endpoints
Network Indicators:
- Unusual API calls to identity/groups endpoints from unexpected sources
- Increased frequency of identity group modification requests
SIEM Query:
source="openbao" AND ("identity/groups" OR "policy assignment") AND ("root" OR "privilege escalation")