CVE-2025-52894Improper Input Validation in Openbao

CWE-20Improper Input ValidationCWE-306Missing Authentication for Critical Function4 documents3 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 87.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OpenbaoGithub.com Openbao Openbao
Timeline
PublishedJun 25
Latest updateJul 28

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners. A patch

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5openbao/openbao< 2.3.0
NVDopenbao/openbao2.2.02.3.0
Gogithub.com/openbao_openbao< 0.0.0-20250625150133-fe75468822a2+1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao2025-07-28
OSV
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication2025-06-26
GHSA
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication2025-06-26