CVE-2025-55001Improper Neutralization of Whitespace in Openbao Openbao

CWE-156Improper Neutralization of Whitespace4 documents3 sources
Severity
6.5MEDIUMNVD
GHSA8.1OSV8.1
EPSS
0.0%
top 90.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedAug 9
Latest updateAug 11

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirem

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

NVDopenbao/openbao< 2.3.2
Gogithub.com/openbao_openbao0.1.02.3.2+2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao2025-08-11
OSV
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias2025-08-08
GHSA
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias2025-08-08