Headline
GHSA-7ff4-jw48-3436: OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
Impact
Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user’s permissions in the system. Specifically this is an issue when:
- An operator in the root namespace has access to
identity/groupsendpoints. - An operator does not have policy access.
Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.
Patches
Patched in version 2.4.4.
Workarounds
Users should audit the use of identity subsystem and deny operators access if it is not in use.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64761
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
High severity GitHub Reviewed Published Nov 24, 2025 in openbao/openbao • Updated Nov 24, 2025
Package
gomod github.com/openbao/openbao (Go)
Affected versions
< 2.4.4
Impact
Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user’s permissions in the system. Specifically this is an issue when:
- An operator in the root namespace has access to identity/groups endpoints.
- An operator does not have policy access.
Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.
Patches
Patched in version 2.4.4.
Workarounds
Users should audit the use of identity subsystem and deny operators access if it is not in use.
References
- GHSA-7ff4-jw48-3436
- openbao/openbao@747a137
- https://github.com/openbao/openbao/releases/tag/v2.4.4
Published to the GitHub Advisory Database
Nov 24, 2025
Last updated
Nov 24, 2025