High severityNVD Advisory· Published Nov 25, 2025· Updated Feb 26, 2026
OpenBao Privileged Operator Identity Group Root Escalation
CVE-2025-64761
Description
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbaoGo | < 2.4.4 | 2.4.4 |
Affected products
1Patches
216bb0ccd37a5Correctly lowercase policies in identity groups (#2143)
3 files changed · +25 −1
changelog/2143.txt+3 −0 added@@ -0,0 +1,3 @@ +```release-note:security +core/identity: Correctly lowercase policy names on identity groups to prevent root policy assignment. CVE-2025-64761 / GHSA-7ff4-jw48-3436. Second part of upstream's HCSEC-2025-13 / CVE-2025-5999. +```
vault/identity_store_groups.go+1 −1 modified@@ -254,7 +254,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica // Update the policies if supplied policiesRaw, ok := d.GetOk("policies") if ok { - group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true) + group.Policies = strutil.RemoveDuplicates(policiesRaw.([]string), true /* lowercase */) } if slices.Contains(group.Policies, "root") {
vault/identity_store_groups_test.go+21 −0 modified@@ -14,6 +14,7 @@ import ( "github.com/openbao/openbao/helper/identity" "github.com/openbao/openbao/helper/namespace" "github.com/openbao/openbao/sdk/v2/logical" + "github.com/stretchr/testify/require" ) func TestIdentityStore_Groups_AddByNameEntityUpdate(t *testing.T) { @@ -984,6 +985,26 @@ func TestIdentityStore_GroupsCRUD_ByID(t *testing.T) { t.Fatalf("bad: group data; expected: %#v\n actual: %#v\n", expectedData, resp.Data) } + // For HCSEC-2025-13 / CVE-2025-5999, validate that we cannot set root + // policies with other casing. + for _, name := range []string{"rooT", "Root", "rOoT", "root", "root ", " root"} { + groupReq.Operation = logical.UpdateOperation + groupReq.Data = map[string]interface{}{ + "policies": []string{name}, + } + resp, err = is.HandleRequest(ctx, groupReq) + if err == nil && (resp == nil || !resp.IsError()) { + t.Fatalf("[policy: %v] err:%v resp:%#v", name, err, resp) + } + + groupReq.Operation = logical.ReadOperation + resp, err = is.HandleRequest(ctx, groupReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%v resp:%#v", err, resp) + } + require.NotContains(t, resp.Data["policies"].([]string), "root") + } + // Check if delete is working properly groupReq.Operation = logical.DeleteOperation resp, err = is.HandleRequest(ctx, groupReq)
747a1378c275Correctly lowercase policies in identity groups
3 files changed · +25 −1
changelog/2143.txt+3 −0 added@@ -0,0 +1,3 @@ +```release-note:security +core/identity: Correctly lowercase policy names on identity groups to prevent root policy assignment. CVE-2025-64761 / GHSA-7ff4-jw48-3436. Second part of upstream's HCSEC-2025-13 / CVE-2025-5999. +```
vault/identity_store_groups.go+1 −1 modified@@ -254,7 +254,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica // Update the policies if supplied policiesRaw, ok := d.GetOk("policies") if ok { - group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true) + group.Policies = strutil.RemoveDuplicates(policiesRaw.([]string), true /* lowercase */) } if slices.Contains(group.Policies, "root") {
vault/identity_store_groups_test.go+21 −0 modified@@ -14,6 +14,7 @@ import ( "github.com/openbao/openbao/helper/identity" "github.com/openbao/openbao/helper/namespace" "github.com/openbao/openbao/sdk/v2/logical" + "github.com/stretchr/testify/require" ) func TestIdentityStore_Groups_AddByNameEntityUpdate(t *testing.T) { @@ -984,6 +985,26 @@ func TestIdentityStore_GroupsCRUD_ByID(t *testing.T) { t.Fatalf("bad: group data; expected: %#v\n actual: %#v\n", expectedData, resp.Data) } + // For HCSEC-2025-13 / CVE-2025-5999, validate that we cannot set root + // policies with other casing. + for _, name := range []string{"rooT", "Root", "rOoT", "root", "root ", " root"} { + groupReq.Operation = logical.UpdateOperation + groupReq.Data = map[string]interface{}{ + "policies": []string{name}, + } + resp, err = is.HandleRequest(ctx, groupReq) + if err == nil && (resp == nil || !resp.IsError()) { + t.Fatalf("[policy: %v] err:%v resp:%#v", name, err, resp) + } + + groupReq.Operation = logical.ReadOperation + resp, err = is.HandleRequest(ctx, groupReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%v resp:%#v", err, resp) + } + require.NotContains(t, resp.Data["policies"].([]string), "root") + } + // Check if delete is working properly groupReq.Operation = logical.DeleteOperation resp, err = is.HandleRequest(ctx, groupReq)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-7ff4-jw48-3436ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64761ghsaADVISORY
- github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5ghsax_refsource_MISCWEB
- github.com/openbao/openbao/commit/747a1378c2756f86296ad9450f74f6faeecc2eb7ghsaWEB
- github.com/openbao/openbao/pull/2143ghsax_refsource_MISCWEB
- github.com/openbao/openbao/releases/tag/v2.4.4ghsaWEB
- github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.