VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Jun 25, 2025· Updated Jun 25, 2025

OpenBao Vulnerable to Unauthenticated Rekey Operation Cancellation

CVE-2025-52894

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners. A patch is available at commit fe75468822a22a88318c6079425357a02ae5b77b. In a future OpenBao release communicated on OpenBao's website, the maintainers will set this to true for all users and provide an authenticated alternative. As a workaround, if an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/openbao/openbaoGo
>= 0.1.0
github.com/openbao/openbaoGo
< 0.0.0-20250625150133-fe75468822a20.0.0-20250625150133-fe75468822a2

Affected products

1

Patches

1
fe75468822a2

Allow disabling unauthenticated rekey (#1496)

https://github.com/openbao/openbaoAlexander ScheelJun 25, 2025via ghsa
commit
11 files changed · +127 23
  • changelog/1496.txt+3 0 added
    @@ -0,0 +1,3 @@
+```release-note:security
+core/sys: Add listener parameter (`disable_unauthed_rekey_endpoints`, default: `false`) to optionally disable unauthenticated rekey operations (to `sys/rekey/*` and `sys/rekey-recovery-key/*`) for a listener. This will be set to true in a future release; see the [deprecation notice](https://openbao.org/docs/deprecation/unauthed-rekey/) for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656.
+```
  • http/handler.go+18 6 modified
    @@ -177,16 +177,28 @@ func handler(props *vault.HandlerProperties) http.Handler {
 		mux.Handle("/v1/sys/leader", handleSysLeader(core))
 		mux.Handle("/v1/sys/health", handleSysHealth(core))
 		mux.Handle("/v1/sys/monitor", handleLogicalNoForward(core))
+
 		mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core,
 			handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy))))
 		mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core,
 			handleAuditNonLogical(core, handleSysGenerateRootUpdate(core, vault.GenerateStandardRootTokenStrategy))))
-		mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core, handleSysRekeyInit(core, false)))
-		mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, false)))
-		mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, false)))
-		mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core, handleSysRekeyInit(core, true)))
-		mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, true)))
-		mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, true)))
+
+		// Register without unauthenticated rekey, if necessary.
+		if props.ListenerConfig == nil || !props.ListenerConfig.DisableUnauthedRekeyEndpoints {
+			mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysRekeyInit(core, false))))
+			mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysRekeyUpdate(core, false))))
+			mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysRekeyVerify(core, false))))
+			mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysRekeyInit(core, true))))
+			mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysRekeyUpdate(core, true))))
+			mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysRekeyVerify(core, true))))
+		}
+
 		mux.Handle("/v1/sys/storage/raft/bootstrap", handleSysRaftBootstrap(core))
 		mux.Handle("/v1/sys/storage/raft/join", handleSysRaftJoin(core))
 		mux.Handle("/v1/sys/internal/ui/feature-flags", handleSysInternalFeatureFlags(core))
  • http/sys_metrics_test.go+37 0 modified
    @@ -99,3 +99,40 @@ func TestSysPProfUnauthenticated(t *testing.T) {
 	resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
 	testResponseStatus(t, resp, 200)
 }
+
+// TestSysRekeyUnauthenticated ensures that unauthenticated endpoints are
+// protected.
+func TestSysRekeyUnauthenticated(t *testing.T) {
+	conf := &vault.CoreConfig{}
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, conf)
+	ln, addr := TestServer(t, core)
+	TestServerAuth(t, addr, token)
+
+	// Default: Allow unauthenticated access
+	resp := testHttpGet(t, "", addr+"/v1/sys/rekey/init")
+	testResponseStatus(t, resp, 200)
+	resp = testHttpGet(t, token, addr+"/v1/sys/rekey/init")
+	testResponseStatus(t, resp, 200)
+
+	// Close listener
+	ln.Close()
+
+	// Setup new custom listener denying unauthenticated rekey access
+	ln, addr = TestListener(t)
+	props := &vault.HandlerProperties{
+		Core: core,
+		ListenerConfig: &configutil.Listener{
+			DisableUnauthedRekeyEndpoints: true,
+		},
+	}
+	TestServerWithListenerAndProperties(t, ln, addr, core, props)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// Testing with and without token should fail; we have completely removed
+	// the endpoint.
+	resp = testHttpGet(t, "", addr+"/v1/sys/rekey/init")
+	testResponseStatus(t, resp, 405)
+	resp = testHttpGet(t, token, addr+"/v1/sys/rekey/init")
+	testResponseStatus(t, resp, 405)
+}
  • internalshared/configutil/listener.go+9 0 modified
    @@ -134,6 +134,15 @@ type Listener struct {
 	// Custom Http response headers
 	CustomResponseHeaders    map[string]map[string]string `hcl:"-"`
 	CustomResponseHeadersRaw interface{}                  `hcl:"custom_response_headers"`
+
+	// Whether to disable responding to unauthenticated rekey endpoints
+	// (via /sys/rekey/* and /sys/rekey-recovery-key/*) on this particular
+	// listener.
+	//
+	// This defaults to false, i.e., respond to requests; in the future when
+	// an authenticated variant with new semantics is available on a new
+	// endpoint, this will be set to true (disabling request handling).
+	DisableUnauthedRekeyEndpoints bool `hcl:"disable_unauthed_rekey_endpoints"`
 }
 
 // AgentAPI allows users to select which parts of the Agent API they want enabled.
  • website/content/api-docs/system/rekey.mdx+0 7 modified
    @@ -23,7 +23,6 @@ This endpoint reads the configuration and progress of the current rekey attempt.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     http://127.0.0.1:8200/v1/sys/rekey/init
 ```
 
@@ -105,7 +104,6 @@ and starting a new rekey, which will also provide a new nonce.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request POST \
     --data @payload.json \
     http://127.0.0.1:8200/v1/sys/rekey/init
@@ -126,7 +124,6 @@ during the verification flow, the current unseal keys remain valid.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request DELETE \
     http://127.0.0.1:8200/v1/sys/rekey/init
 ```
@@ -216,7 +213,6 @@ for the verification operation.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request POST \
     --data @payload.json \
     http://127.0.0.1:8200/v1/sys/rekey/update
@@ -254,7 +250,6 @@ verification attempt.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     http://127.0.0.1:8200/v1/sys/rekey/verify
 ```
 
@@ -290,7 +285,6 @@ nonce.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request DELETE \
     http://127.0.0.1:8200/v1/sys/rekey/verify
 ```
@@ -343,7 +337,6 @@ below; otherwise the response will be the same as the `GET` method against
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request POST \
     --data @payload.json \
     http://127.0.0.1:8200/v1/sys/rekey/verify
  • website/content/api-docs/system/rekey-recovery-key.mdx+0 7 modified
    @@ -21,7 +21,6 @@ This endpoint reads the configuration and progress of the current rekey attempt.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
 ```
 
@@ -104,7 +103,6 @@ nonce.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request POST \
     --data @payload.json \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
@@ -125,7 +123,6 @@ during the verification flow, the current unseal keys remain valid.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     --request DELETE \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/init
 ```
@@ -215,7 +212,6 @@ for the verification operation.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token" \
     --request POST \
     --data @payload.json \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/update
@@ -253,7 +249,6 @@ verification attempt.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token: ..." \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
 ```
 
@@ -289,7 +284,6 @@ along with the new nonce.
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token" \
     --request DELETE \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
 ```
@@ -342,7 +336,6 @@ below; otherwise the response will be the same as the `GET` method against
 
 ```shell-session
 $ curl \
-    --header "X-Vault-Token" \
     --request POST \
     --data @payload.json \
     http://127.0.0.1:8200/v1/sys/rekey-recovery-key/verify
  • website/content/docs/configuration/listener/tcp.mdx+12 0 modified
    @@ -105,6 +105,18 @@ default value in the `"/sys/config/ui"` [API endpoint](/api-docs/system/config-u
   be comma-delimited if provided as a string. At least one source IP must be provided,
   `proxy_protocol_authorized_addrs` cannot be an empty array or string.
 
+- `disable_unauthed_rekey_endpoints` `(bool: false)` - Whether to disable requests to the
+  legacy unauthenticated rekey endpoints (under `/sys/rekey/*` and
+  `/sys/rekey-recovery-key/*`). These are a security risk to leave exposed on
+  public listeners.
+
+:::warning
+
+**In OpenBao v2.4.0, this parameter will default to true, forbidding any calls
+to the unauthenticated rekey endpoints. This will be a breaking change.
+
+:::
+
 - `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. OpenBao
   assumes TLS by default, so you must explicitly disable TLS to opt-in to
   insecure communication.
  • website/content/docs/configuration/listener/unix.mdx+11 0 modified
    @@ -27,6 +27,17 @@ multiple sockets.
 
 - `socket_group` `(string: "", <optional>)` – Changes the group owner of the Unix socket.
 
+- `disable_unauthed_rekey_endpoints` `(bool: false)` - Whether to disable requests to the
+  legacy unauthenticated rekey endpoints (under `/sys/rekey/*` and
+  `/sys/rekey-recovery-key/*`). These are a security risk to leave exposed on
+  public listeners.
+
+:::warning
+
+**In OpenBao v2.4.0, this parameter will default to true, forbidding any calls
+to the unauthenticated rekey endpoints. This will be a breaking change.
+
+:::
 
 ## `unix` listener examples
  • website/content/docs/deprecation/index.mdx+3 2 modified
    @@ -20,6 +20,7 @@ This announcement page is maintained and updated periodically to communicate imp
 
 :::
 
-| Feature                                                                                                                                                                                                                                                                                                                         | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact                                                                                                                                                                                                                                   | Resources                                         |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -------------- | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
+| Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources |
+| ------- | ------------------------ | -------------- | --------------- | --------------------- | --------- |
 | Configuration of PKCS#11 auto-unseal using the duplicate and undocumented `module`, `token` and `key` options is now deprecated. Use the documented alternative options `lib`, `token_label` and `key_label` instead, respectively. ([More details](https://github.com/openbao/go-kms-wrapping/pull/33#discussion_r2112177962)) | v2.2.2                   | TBD            | No              | Modify your configuration file to use the respective supported option, see [PKCS#11 Unseal](/docs/configuration/seal/pkcs11). Impact is minimal as the deprecated options were undocumented. The switch to the supported options should be trivial.     | [PKCS#11 Unseal](/docs/configuration/seal/pkcs11) |
+| Unauthenticated Rekey & Root Rotation Endpoints | [Link](/docs/deprecation/unauthed-rekey) | v2.4.0 | n/a | Move to future authenticated variants or set `disable_unauthed_rekey_endpoints=false` in listeners explicitly. | [Listener Configuration](https://openbao.org/docs/configuration/listener/) |
  • website/content/docs/deprecation/unauthed-rekey.mdx+33 0 added
    @@ -0,0 +1,33 @@
+---
+sidebar_label: Unauthenticated Rekey Endpoints
+description: |-
+  Deprecating the `sys/rekey/*` and `sys/rekey-recovery-key/*` endpoints.
+---
+
+# Deprecating Unauthenticated Rekey Endpoints
+
+## What
+
+In OpenBao v2.4.0, the `disable_unauthed_rekey_endpoints` parameter will be
+set to `true` by default (currently `false`), preventing all requests to the
+unauthenticated `sys/rekey/*` and `sys/rekey-recovery-key/*` endpoints.
+
+A replacement will be made available ahead of this change landing.
+
+## Why
+
+These endpoints pose a security risk. An unauthenticated attacker may call
+the cancel endpoint (`DELETE /sys/rekey/init` or
+`DELETE /sys/rekey-recovery-key/init`), interrupting a valid rekey operation.
+Additionally, an attacker may choose to initiate their own rekey operation.
+
+Such interaction is not audited and may not result in log messages.
+
+A log line such as:
+
+```
+2025-05-12T14:59:20.819-0500 [INFO]  core: rekey initialized: nonce=592d7982-47aa-b8c9-3d72-b37db72e389f shares=1 threshold=1 validation_required=false
+```
+
+may be visible if an attacker initiated their own rekey operation; this
+operation would not be successful.
  • website/sidebars.ts+1 1 modified
    @@ -478,7 +478,7 @@ const sidebars: SidebarsConfig = {
         },
         "known-issues",
         {
-            "Deprecation Notices": ["deprecation/index", "deprecation/faq"],
+            "Deprecation Notices": ["deprecation/index", "deprecation/faq", "deprecation/unauthed-rekey"],
             Policies: [
                 "policies/index",
                 "policies/brand",

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.