CVE-2025-54998Improper Restriction of Excessive Authentication Attempts in Openbao Openbao

CWE-307Improper Restriction of Excessive Authentication Attempts4 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 85.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedAug 9
Latest updateAug 11

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDopenbao/openbao< 2.3.2
Gogithub.com/openbao_openbao0.1.02.3.2+2
CVEListV5openbao/openbao>= 0.1.0, < 2.3.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao2025-08-11
OSV
OpenBao Userpass and LDAP User Lockout Bypass2025-08-08
GHSA
OpenBao Userpass and LDAP User Lockout Bypass2025-08-08