VYPR
Get started
← All advisories
Critical severityNVD Advisory· Published Aug 9, 2025· Updated Aug 11, 2025

OpenBao: Privileged Operator May Execute Code on the Underlying Host

CVE-2025-54997

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/openbao/openbaoGo
>= 0.1.0, < 2.3.22.3.2
github.com/openbao/openbaoGo
< 0.0.0-20250806194004-a14053c9679d0.0.0-20250806194004-a14053c9679d

Affected products

1

Patches

1
a14053c9679d

Disable audit mount creation via API + disable audit log prefixing (#1634)

https://github.com/openbao/openbaoJonas KöhnenAug 6, 2025via ghsa
commit
12 files changed · +229 76
  • builtin/logical/transit/path_keys_test.go+4 0 modified
    @@ -16,6 +16,7 @@ import (
 	"github.com/openbao/openbao/api/v2"
 	"github.com/openbao/openbao/audit"
 	"github.com/openbao/openbao/builtin/audit/file"
+	"github.com/openbao/openbao/command/server"
 	vaulthttp "github.com/openbao/openbao/http"
 	"github.com/openbao/openbao/sdk/v2/logical"
 	"github.com/openbao/openbao/vault"
@@ -24,6 +25,9 @@ import (
 
 func TestTransit_Issue_2958(t *testing.T) {
 	coreConfig := &vault.CoreConfig{
+		RawConfig: &server.Config{
+			UnsafeAllowAPIAuditCreation: true,
+		},
 		LogicalBackends: map[string]logical.Factory{
 			"transit": Factory,
 		},
  • changelog/1634.txt+5 0 added
    @@ -0,0 +1,5 @@
+```release-note:security
+audit: Add server configuration options to disable audit mount creation via the API and to disable audit log prefixing.
+  - `unsafe_allow_api_audit_creation (default: false)` controls the ability to create audit mounts via the API
+  - `allow_audit_log_prefixing (default: false)` controls the availability of the prefix audit mount option
+```
  • command/server/config.go+23 0 modified
    @@ -113,6 +113,9 @@ type Config struct {
 
 	UnsafeCrossNamespaceIdentity bool `hcl:"unsafe_cross_namespace_identity"`
 
+	UnsafeAllowAPIAuditCreation bool `hcl:"unsafe_allow_api_audit_creation"`
+	AllowAuditLogPrefixing      bool `hcl:"allow_audit_log_prefixing"`
+
 	// Initialization is a configuration object that helps to initialize
 	// OpenBao. It can be specified multiple times and each instance can
 	// contain one or more `request` objects. This is used by the
@@ -419,6 +422,21 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.EnableResponseHeaderRaftNodeID = c2.EnableResponseHeaderRaftNodeID
 	}
 
+	result.UnsafeCrossNamespaceIdentity = c.UnsafeCrossNamespaceIdentity
+	if c2.UnsafeCrossNamespaceIdentity {
+		result.UnsafeCrossNamespaceIdentity = c2.UnsafeCrossNamespaceIdentity
+	}
+
+	result.UnsafeAllowAPIAuditCreation = c.UnsafeAllowAPIAuditCreation
+	if c2.UnsafeAllowAPIAuditCreation {
+		result.UnsafeAllowAPIAuditCreation = c2.UnsafeAllowAPIAuditCreation
+	}
+
+	result.AllowAuditLogPrefixing = c.AllowAuditLogPrefixing
+	if c2.AllowAuditLogPrefixing {
+		result.AllowAuditLogPrefixing = c2.AllowAuditLogPrefixing
+	}
+
 	// Use values from top-level configuration for storage if set
 	if storage := result.Storage; storage != nil {
 		if result.APIAddr != "" {
@@ -1087,6 +1105,11 @@ func (c *Config) Sanitized() map[string]interface{} {
 		"detect_deadlocks": c.DetectDeadlocks,
 
 		"imprecise_lease_role_tracking": c.ImpreciseLeaseRoleTracking,
+
+		"unsafe_cross_namespace_identity": c.UnsafeCrossNamespaceIdentity,
+
+		"unsafe_allow_api_audit_creation": c.UnsafeAllowAPIAuditCreation,
+		"allow_audit_log_prefixing":       c.AllowAuditLogPrefixing,
 	}
 	for k, v := range sharedResult {
 		result[k] = v
  • command/server/config_test_helpers.go+5 2 modified
    @@ -777,8 +777,11 @@ func testConfig_Sanitized(t *testing.T) {
 			"num_lease_metrics_buckets":              168,
 			"add_lease_metrics_namespace_labels":     false,
 		},
-		"administrative_namespace_path": "admin/",
-		"imprecise_lease_role_tracking": false,
+		"administrative_namespace_path":   "admin/",
+		"imprecise_lease_role_tracking":   false,
+		"unsafe_cross_namespace_identity": false,
+		"unsafe_allow_api_audit_creation": false,
+		"allow_audit_log_prefixing":       false,
 	}
 
 	addExpectedEntSanitizedConfig(expected, []string{"http"})
  • http/logical_test.go+5 0 modified
    @@ -21,6 +21,7 @@ import (
 	auditFile "github.com/openbao/openbao/builtin/audit/file"
 	credUserpass "github.com/openbao/openbao/builtin/credential/userpass"
 	kv "github.com/openbao/openbao/builtin/logical/kv"
+	"github.com/openbao/openbao/command/server"
 	"github.com/openbao/openbao/helper/testhelpers/corehelpers"
 	"github.com/openbao/openbao/internalshared/configutil"
 	"github.com/openbao/openbao/sdk/v2/helper/consts"
@@ -611,6 +612,7 @@ func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
 	// Create a noop audit backend
 	noop := corehelpers.TestNoopAudit(t, nil)
 	c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
 		AuditBackends: map[string]audit.Factory{
 			"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
 				return noop, nil
@@ -986,6 +988,9 @@ func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
 // in audit log when it is enabled
 func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
 	coreConfig := &vault.CoreConfig{
+		RawConfig: &server.Config{
+			UnsafeAllowAPIAuditCreation: true,
+		},
 		LogicalBackends: map[string]logical.Factory{
 			"kv": kv.VersionedKVFactory,
 		},
  • http/sys_audit_test.go+24 3 modified
    @@ -8,11 +8,20 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/openbao/openbao/audit"
+	"github.com/openbao/openbao/command/server"
+	"github.com/openbao/openbao/helper/testhelpers/corehelpers"
 	"github.com/openbao/openbao/vault"
 )
 
 func TestSysAudit(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": corehelpers.NoopAuditFactory(nil),
+		},
+	})
+
 	ln, addr := TestServer(t, core)
 	defer ln.Close()
 	TestServerAuth(t, addr, token)
@@ -60,7 +69,13 @@ func TestSysAudit(t *testing.T) {
 }
 
 func TestSysDisableAudit(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": corehelpers.NoopAuditFactory(nil),
+		},
+	})
+
 	ln, addr := TestServer(t, core)
 	defer ln.Close()
 	TestServerAuth(t, addr, token)
@@ -97,7 +112,13 @@ func TestSysDisableAudit(t *testing.T) {
 }
 
 func TestSysAuditHash(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": corehelpers.NoopAuditFactory(nil),
+		},
+	})
+
 	ln, addr := TestServer(t, core)
 	defer ln.Close()
 	TestServerAuth(t, addr, token)
  • http/sys_config_state_test.go+6 3 modified
    @@ -171,9 +171,12 @@ func TestSysConfigState_Sanitized(t *testing.T) {
 						"type":   "tcp",
 					},
 				},
-				"storage":                       tc.expectedStorageOutput,
-				"administrative_namespace_path": "",
-				"imprecise_lease_role_tracking": false,
+				"storage":                         tc.expectedStorageOutput,
+				"administrative_namespace_path":   "",
+				"imprecise_lease_role_tracking":   false,
+				"unsafe_cross_namespace_identity": false,
+				"unsafe_allow_api_audit_creation": false,
+				"allow_audit_log_prefixing":       false,
 			}
 
 			if tc.expectedHAStorageOutput != nil {
  • http/sys_generate_root_test.go+5 9 modified
    @@ -16,6 +16,7 @@ import (
 
 	"github.com/go-test/deep"
 	"github.com/openbao/openbao/audit"
+	"github.com/openbao/openbao/command/server"
 	"github.com/openbao/openbao/helper/namespace"
 	"github.com/openbao/openbao/helper/pgpkeys"
 	"github.com/openbao/openbao/helper/testhelpers/corehelpers"
@@ -227,19 +228,14 @@ func enableNoopAudit(t *testing.T, token string, core *vault.Core) {
 	}
 }
 
-func testCoreUnsealedWithAudit(t *testing.T, records **[][]byte) (*vault.Core, [][]byte, string) {
-	conf := &vault.CoreConfig{
-		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+func testServerWithAudit(t *testing.T, records **[][]byte) (net.Listener, string, string, [][]byte) {
+	core, keys, token := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
 		AuditBackends: map[string]audit.Factory{
 			"noop": corehelpers.NoopAuditFactory(records),
 		},
-	}
-	core, keys, token := vault.TestCoreUnsealedWithConfig(t, conf)
-	return core, keys, token
-}
+	})
 
-func testServerWithAudit(t *testing.T, records **[][]byte) (net.Listener, string, string, [][]byte) {
-	core, keys, token := testCoreUnsealedWithAudit(t, records)
 	ln, addr := TestServer(t, core)
 	TestServerAuth(t, addr, token)
 	enableNoopAudit(t, token, core)
  • vault/core_test.go+33 25 modified
    @@ -1447,14 +1447,16 @@ func TestCore_HandleLogin_Token(t *testing.T) {
 
 func TestCore_HandleRequest_AuditTrail(t *testing.T) {
 	// Create a noop audit backend
-	noop := &corehelpers.NoopAudit{}
-	c, _, root := TestCoreUnsealed(t)
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
-		noop = &corehelpers.NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
+	var noop *corehelpers.NoopAudit
+	c, _, root := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
+				noop = &corehelpers.NoopAudit{Config: config}
+				return noop, nil
+			},
+		},
+	})
 
 	// Enable the audit backend
 	req := logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
@@ -1512,13 +1514,15 @@ func TestCore_HandleRequest_AuditTrail(t *testing.T) {
 func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) {
 	// Create a noop audit backend
 	var noop *corehelpers.NoopAudit
-	c, _, root := TestCoreUnsealed(t)
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
-		noop = &corehelpers.NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
+	c, _, root := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
+				noop = &corehelpers.NoopAudit{Config: config}
+				return noop, nil
+			},
+		},
+	})
 
 	// Specify some keys to not HMAC
 	req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune")
@@ -1631,16 +1635,20 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) {
 		},
 		BackendType: logical.TypeCredential,
 	}
-	c, _, root := TestCoreUnsealed(t)
-	c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
-		return noopBack, nil
-	}
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
-		noop = &corehelpers.NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
+	c, _, root := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
+				noop = &corehelpers.NoopAudit{Config: config}
+				return noop, nil
+			},
+		},
+		CredentialBackends: map[string]logical.Factory{
+			"noop": func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
+				return noopBack, nil
+			},
+		},
+	})
 
 	// Enable the credential backend
 	req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo")
  • vault/logical_system.go+11 0 modified
    @@ -31,6 +31,7 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	semver "github.com/hashicorp/go-version"
+	"github.com/openbao/openbao/command/server"
 	"github.com/openbao/openbao/helper/hostutil"
 	"github.com/openbao/openbao/helper/identity"
 	"github.com/openbao/openbao/helper/locking"
@@ -3137,6 +3138,16 @@ func (b *SystemBackend) handleEnableAudit(ctx context.Context, req *logical.Requ
 	description := data.Get("description").(string)
 	options := data.Get("options").(map[string]string)
 
+	conf := b.Core.rawConfig.Load().(*server.Config)
+
+	if !conf.UnsafeAllowAPIAuditCreation {
+		return handleError(fmt.Errorf("cannot enable audit device via API"))
+	}
+
+	if _, hasPrefix := options["prefix"]; hasPrefix && !conf.AllowAuditLogPrefixing {
+		return handleError(fmt.Errorf("audit log prefixing is not allowed"))
+	}
+
 	// Create the mount entry
 	me := &MountEntry{
 		Table:       auditTableType,
  • vault/logical_system_test.go+107 34 modified
    @@ -23,7 +23,9 @@ import (
 	"github.com/hashicorp/go-hclog"
 	semver "github.com/hashicorp/go-version"
 	"github.com/openbao/openbao/audit"
+	auditFile "github.com/openbao/openbao/builtin/audit/file"
 	credUserpass "github.com/openbao/openbao/builtin/credential/userpass"
+	"github.com/openbao/openbao/command/server"
 	"github.com/openbao/openbao/helper/builtinplugins"
 	"github.com/openbao/openbao/helper/identity"
 	"github.com/openbao/openbao/helper/namespace"
@@ -2266,15 +2268,21 @@ func TestSystemBackend_tuneAuth(t *testing.T) {
 func TestSystemBackend_tuneSys(t *testing.T) {
 	// Create a noop audit backend
 	var noop *corehelpers.NoopAudit
-	c, b, root := testCoreSystemBackend(t)
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
-		var err error
-		noop, err = corehelpers.NewNoopAudit(config.Config)
-		if err != nil {
-			return nil, err
-		}
-		return noop, nil
-	}
+	c, _, root := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
+				var err error
+				noop, err = corehelpers.NewNoopAudit(config.Config)
+				if err != nil {
+					return nil, err
+				}
+				return noop, nil
+			},
+		},
+	})
+
+	b := c.systemBackend
 
 	// Validate Tune behavior.
 	req := logical.TestRequest(t, logical.UpdateOperation, "mounts/sys/tune")
@@ -2561,13 +2569,12 @@ func TestSystemBackend_PoliciesDetailedAcl(t *testing.T) {
 }
 
 func TestSystemBackend_enableAudit(t *testing.T) {
-	c, b, _ := testCoreSystemBackend(t)
-	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+	b := testSystemBackendUnsafeAuditCreation(t)
 
 	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
 	req.Data["type"] = "noop"
 
-	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	resp, err := b.HandleRequest(namespace.RootContext(context.Background()), req)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -2631,8 +2638,7 @@ func TestSystemBackend_decodeToken(t *testing.T) {
 }
 
 func TestSystemBackend_auditHash(t *testing.T) {
-	c, b, _ := testCoreSystemBackend(t)
-	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+	b := testSystemBackendUnsafeAuditCreation(t)
 
 	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
 	req.Data["type"] = "noop"
@@ -2680,10 +2686,12 @@ func TestSystemBackend_auditHash(t *testing.T) {
 }
 
 func TestSystemBackend_enableAudit_invalid(t *testing.T) {
-	b := testSystemBackend(t)
+	b := testSystemBackendUnsafeAuditCreation(t)
+
 	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
 	req.Data["type"] = "nope"
-	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+
+	resp, err := b.HandleRequest(namespace.RootContext(context.Background()), req)
 	if err != logical.ErrInvalidRequest {
 		t.Fatalf("err: %v", err)
 	}
@@ -2692,9 +2700,61 @@ func TestSystemBackend_enableAudit_invalid(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_enableAudit_apiCreationDisabled(t *testing.T) {
+	// Note: this is not 'testSystemBackendUnsafeAuditCreation',
+	// so unsafe audit creation is false.
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+
+	_, err := b.HandleRequest(namespace.RootContext(context.Background()), req)
+	require.ErrorIs(t, err, logical.ErrInvalidRequest)
+}
+
+func TestSystemBackend_enableAudit_withPrefix(t *testing.T) {
+	c, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{
+			UnsafeAllowAPIAuditCreation: true,
+			AllowAuditLogPrefixing:      false,
+		},
+		AuditBackends: map[string]audit.Factory{
+			"noop": corehelpers.NoopAuditFactory(nil),
+		},
+	})
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+	req.Data["options"] = map[string]any{"prefix": "foo"}
+
+	_, err := c.systemBackend.HandleRequest(namespace.RootContext(context.Background()), req)
+	require.ErrorIs(t, err, logical.ErrInvalidRequest)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+	_, err = c.systemBackend.HandleRequest(namespace.RootContext(context.Background()), req)
+	require.NoError(t, err)
+
+	c, _, _ = TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{
+			UnsafeAllowAPIAuditCreation: true,
+			AllowAuditLogPrefixing:      true,
+		},
+		AuditBackends: map[string]audit.Factory{
+			"noop": corehelpers.NoopAuditFactory(nil),
+		},
+	})
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
+	req.Data["type"] = "noop"
+	req.Data["options"] = map[string]any{"prefix": "foo"}
+
+	_, err = c.systemBackend.HandleRequest(namespace.RootContext(context.Background()), req)
+	require.NoError(t, err)
+}
+
 func TestSystemBackend_auditTable(t *testing.T) {
-	c, b, _ := testCoreSystemBackend(t)
-	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+	b := testSystemBackendUnsafeAuditCreation(t)
 
 	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
 	req.Data["type"] = "noop"
@@ -2728,26 +2788,23 @@ func TestSystemBackend_auditTable(t *testing.T) {
 }
 
 func TestSystemBackend_disableAudit(t *testing.T) {
-	c, b, _ := testCoreSystemBackend(t)
-	c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil)
+	b := testSystemBackendUnsafeAuditCreation(t)
 
 	req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
 	req.Data["type"] = "noop"
 	req.Data["description"] = "testing"
-	req.Data["options"] = map[string]interface{}{
-		"foo": "bar",
-	}
-	b.HandleRequest(namespace.RootContext(nil), req)
+	req.Data["options"] = map[string]any{"foo": "bar"}
+
+	// Register it
+	resp, err := b.HandleRequest(namespace.RootContext(context.Background()), req)
+	require.NoError(t, err)
+	require.Nil(t, resp)
 
 	// Deregister it
 	req = logical.TestRequest(t, logical.DeleteOperation, "audit/foo")
-	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if resp != nil {
-		t.Fatalf("bad: %v", resp)
-	}
+	resp, err = b.HandleRequest(namespace.RootContext(context.Background()), req)
+	require.NoError(t, err)
+	require.Nil(t, resp)
 }
 
 func TestSystemBackend_rawRead_Compressed(t *testing.T) {
@@ -3533,6 +3590,17 @@ func testCoreSystemBackendRaw(t *testing.T) (*Core, logical.Backend, string) {
 	return c, c.systemBackend, root
 }
 
+func testSystemBackendUnsafeAuditCreation(t *testing.T) logical.Backend {
+	t.Helper()
+	c, _, _ := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"noop": corehelpers.NoopAuditFactory(nil),
+		},
+	})
+	return c.systemBackend
+}
+
 func TestSystemBackend_PluginCatalog_CRUD(t *testing.T) {
 	c, b, _ := testCoreSystemBackend(t)
 	// Bootstrap the pluginCatalog
@@ -3709,7 +3777,12 @@ func TestSystemBackend_PluginCatalog_CRUD(t *testing.T) {
 }
 
 func TestSystemBackend_PluginCatalog_ListPlugins_SucceedsWithAuditLogEnabled(t *testing.T) {
-	core, b, root := testCoreSystemBackend(t)
+	c, _, root := TestCoreUnsealedWithConfig(t, &CoreConfig{
+		RawConfig: &server.Config{UnsafeAllowAPIAuditCreation: true},
+		AuditBackends: map[string]audit.Factory{
+			"file": auditFile.Factory,
+		},
+	})
 
 	tempDir := t.TempDir()
 	f, err := os.CreateTemp(tempDir, "")
@@ -3726,15 +3799,15 @@ func TestSystemBackend_PluginCatalog_ListPlugins_SucceedsWithAuditLogEnabled(t *
 		},
 	}
 	ctx := namespace.RootContext(nil)
-	resp, err := b.HandleRequest(ctx, req)
+	resp, err := c.systemBackend.HandleRequest(ctx, req)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("resp: %#v, err: %v", resp, err)
 	}
 
 	// List plugins
 	req = logical.TestRequest(t, logical.ReadOperation, "sys/plugins/catalog")
 	req.ClientToken = root
-	resp, err = core.HandleRequest(ctx, req)
+	resp, err = c.HandleRequest(ctx, req)
 	if err != nil || resp == nil || resp.IsError() {
 		t.Fatalf("resp: %#v, err: %v", resp, err)
 	}
  • vault/testing.go+1 0 modified
    @@ -1642,6 +1642,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 	if coreConfig.RawConfig == nil {
 		c := new(server.Config)
 		c.SharedConfig = &configutil.SharedConfig{LogFormat: logging.UnspecifiedFormat.String()}
+		c.UnsafeAllowAPIAuditCreation = true
 		coreConfig.RawConfig = c
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.