CVE-2025-5999
published 2025-08-01CVE-2025-5999: A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to…
PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.46%
36.5th percentile
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0.10.4 < 1.20.0 | 1.20.0 |
| github.com | openbao_openbao | >= 0 < 0.0.0-20250806193240-9b0b5d4f345f | 0.0.0-20250806193240-9b0b5d4f345f |
| github.com | openbao_openbao | >= 0 < 2.4.4 | 2.4.4 |
| github.com | openbao_openbao | >= 0.1.0 < 2.3.2 | 2.3.2 |
| hashicorp | vault | >= 0.10.4 < 1.16.22 | 1.16.22 |
| hashicorp | vault | >= 0.10.4 < 1.20.0 | 1.20.0 |
| hashicorp | vault | >= 1.17.0 < 1.18.11 | 1.18.11 |
| hashicorp | vault | >= 1.19.0 < 1.19.6 | 1.19.6 |
| hashicorp | vault_enterprise | >= 0.10.4 < 1.20.0 | 1.20.0 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/hashicorp/vault: Vault Identity Token Privilege Escalation
vendor_redhat·2025-08-01·CVSS 7.2
CVE-2025-5999 [HIGH] CWE-266 github.com/hashicorp/vault: Vault Identity Token Privilege Escalation
github.com/hashicorp/vault: Vault Identity Token Privilege Escalation
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
A flaw was found in github.com/hashicorp/vault. This vulnerability allows a privileged Vault operator with write access to the root namespace’s identity endpoint to manipulate token privileges, effectively elevating another user’s token to the Vault root policy. This privilege escalation occurs through crafted writes to the identity endpoint. An attacker can obtain unauthorized root access to the Vault system, allowing complete control over the Vaul
OSV
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
osv·2025-11-24·CVSS 7.2
CVE-2025-64761 [HIGH] OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
### Impact
Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:
1. An operator in the root namespace has access to `identity/groups` endpoints.
2. An operator does not have policy access.
Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the `sudo` capability.
### Patches
Patched in version 2.4.4.
### Workarounds
Users should audit the use of identity subsystem and deny operators access if it is not in use.
GHSA
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
ghsa·2025-11-24·CVSS 7.2
CVE-2025-64761 [HIGH] CWE-266 OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
### Impact
Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:
1. An operator in the root namespace has access to `identity/groups` endpoints.
2. An operator does not have policy access.
Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the `sudo` capability.
### Patches
Patched in version 2.4.4.
### Workarounds
Users should audit the use of identity subsystem and deny operators access if it is not in use.
OSV
Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault
osv·2025-08-11
CVE-2025-5999 Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault
Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault
Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault
OSV
OpenBao Root Namespace Operator May Elevate Token Privileges
osv·2025-08-08
CVE-2025-54996 [HIGH] OpenBao Root Namespace Operator May Elevate Token Privileges
OpenBao Root Namespace Operator May Elevate Token Privileges
### Impact
Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `root` policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the `root` policy is restricted to manual generation using unseal or recovery key shares. The global `root` policy is not accessible from child namespaces.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
Use of `denied_parameters` in any policy which has access to the affected identity endpoints (on [identity entities](https://openbao.org/api-docs/secret/identity/entity/)) may be sufficient to prohibit this type of atta
GHSA
OpenBao Root Namespace Operator May Elevate Token Privileges
ghsa·2025-08-08
CVE-2025-54996 [HIGH] CWE-266 OpenBao Root Namespace Operator May Elevate Token Privileges
OpenBao Root Namespace Operator May Elevate Token Privileges
### Impact
Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `root` policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the `root` policy is restricted to manual generation using unseal or recovery key shares. The global `root` policy is not accessible from child namespaces.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
Use of `denied_parameters` in any policy which has access to the affected identity endpoints (on [identity entities](https://openbao.org/api-docs/secret/identity/entity/)) may be sufficient to prohibit this type of atta
OSV
Hashicorp Vault has Privilege Escalation Vulnerability
osv·2025-08-01
CVE-2025-5999 [HIGH] Hashicorp Vault has Privilege Escalation Vulnerability
Hashicorp Vault has Privilege Escalation Vulnerability
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
GHSA
Hashicorp Vault has Privilege Escalation Vulnerability
ghsa·2025-08-01
CVE-2025-5999 [HIGH] CWE-266 Hashicorp Vault has Privilege Escalation Vulnerability
Hashicorp Vault has Privilege Escalation Vulnerability
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-01
Published