GHSA-prpj-rchp-9j5h

Source

https://github.com/advisories/GHSA-prpj-rchp-9j5h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-prpj-rchp-9j5h/GHSA-prpj-rchp-9j5h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-prpj-rchp-9j5h

Aliases

Published

2025-06-26T21:29:05Z

Modified

2025-07-28T20:42:10.323717Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenBao allows cancellation of root rekey and recovery rekey operations without authentication

Details

Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

Patches

In OpenBao v2.2.2 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release communicated on our website, we will set this to true for all users and provide an authenticated alternative.

This vulnerability has been disclosed to HashiCorp; see their website for more information.

Workarounds

If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

References

See the deprecation notice.

Database specific

{
    "github_reviewed_at": "2025-06-26T21:29:05Z",
    "nvd_published_at": "2025-06-25T17:15:39Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-306"
    ],
    "severity": "MODERATE"
}

References

Affected packages

Go / github.com/openbao/openbao/api/v2

Package

Name: github.com/openbao/openbao/api/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/openbao/openbao/api/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.2.2

Fixed

2.3.1

Database specific

{
    "last_known_affected_version_range": "<= 2.3.0"
}