CVE-2025-55003Improper Restriction of Excessive Authentication Attempts in Openbao Openbao

CWE-307Improper Restriction of Excessive Authentication AttemptsCWE-287Improper Authentication6 documents3 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 88.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Openbao OpenbaoOpenbaoCode.vikunja.io API
Timeline
PublishedAug 9
Latest updateMar 20

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MF

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages3 packages

NVDopenbao/openbao< 2.3.2
Gogithub.com/openbao_openbao0.1.02.3.2+2

Patches

Patch: github.com

🔴Vulnerability Details

5
GHSA
Vikunja has TOTP Reuse During Validity Window2026-03-20
OSV
Vikunja has TOTP Reuse During Validity Window2026-03-20
OSV
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao2025-08-11
OSV
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse2025-08-08
GHSA
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse2025-08-08