OpenBao's System Backend allows Unauthorized Management of the containing Namespace
Description
Summary
A user that is granted namespace management (/sys/namespaces) capabilities within a non-root namespace ("the victim namespace") can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself.
Details
Several endpoints under /sys/namespaces/* accept a namespace path segment that is canonicalized and then appended to the path of the sys mount's containing namespace (set via path prefix or X-Vault-Namespace header) to determine the absolute path of the namespace to operate on.
Given the special namespace path "root" canonicalizes to en empty path (""), when passed as /sys/namespaces/root, the resulting absolute namespace path remains equal to the sys mount's containing namespace. Given ACLs are evaluated before namespace path canonicalization, this allows users with capabilities on /sys/namespaces/root within any given namespace to operate on the namespace itself instead.
Impact
Users that were granted the required capabilities can abuse this vulnerability to:
- Look up
- Delete
- Lock
- Patch custom metadata
against the namespace containing the system backend they can manage sys/namespaces/root in. The exact range of operations that can be performed depends on the specific capabilities granted on said path and any sub-paths such as /api-lock.
Notably, the root namespace is immutable and cannot be modified, deleted or locked, and is thus unaffected. Also note that users can only abuse this vulnerability to operate on the direct parent or "containing" namespace relative to their capabilities, not arbitrary namespaces.
Patch
This will be fixed in OpenBao v2.5.5.
PoC
Start a development server:
bao server -dev
Create a namespace:
bao namespace create victim
This will be the namespace we gain unauthorized management of.
Create a policy that allows management of namespaces, _inside_ of the victim namespace.
bao policy write -namespace=victim namespace-management - <<EOF
path "sys/namespaces/*" {
capabilities = ["read", "update", "patch", "delete"]
}
EOF
Then create a token with above policy attached:
export BAO_TOKEN=$(bao token create -namespace=victim -policy=namespace-management -field=token)
Operate on the victim's namespace using the token, for example by outright deleting it:
bao namespace delete -namespace=victim root
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The `Canonicalize` function treats the literal string `"root"` as equivalent to an empty path, so when a user with ACLs on `sys/namespaces/root` passes `"root"` as the path segment, the operation targets the containing namespace instead of a child namespace."
Attack vector
An attacker who has been granted capabilities on `sys/namespaces/*` within a non-root namespace (the victim namespace) can pass the literal path `"root"` to any `/sys/namespaces/<path>` endpoint. Because `Canonicalize` converts `"root"` to an empty string, the resulting absolute namespace path equals the sys mount's containing namespace — i.e., the victim namespace itself. ACLs are evaluated against the original request path `sys/namespaces/root` before canonicalization, so the attacker's token passes the policy check, and the operation then acts on the victim namespace. This allows the attacker to look up, delete, lock, or patch custom metadata on the victim namespace. [ref_id=2]
Affected code
The vulnerability resides in the namespace path canonicalization logic in `helper/namespace/namespace.go` (the `Canonicalize` function) and the handler functions in `vault/logical_system_namespaces.go` and `vault/logical_system_namespaces_seals.go`. The `Canonicalize` function treated the literal string `"root"` as equivalent to an empty path, and the handlers called `Canonicalize` before performing ACL checks, allowing the empty path to resolve to the containing namespace. The patch replaces `Canonicalize` with a new `ParseName` function that rejects `"root"` as a valid namespace name, and also adds a guard in `vault/namespace_store.go` to re-route a header of `"root"` to the root namespace.
What the fix does
The patch introduces a new function `ParseName` in `helper/namespace/namespace.go` that calls `Canonicalize` but then rejects an empty result (which would occur when the input is `"root"`), and also rejects reserved names. All handler functions in `logical_system_namespaces.go` and `logical_system_namespaces_seals.go` are changed from calling `namespace.Canonicalize` directly to calling `namespace.ParseName`, so that passing `"root"` as the path segment now returns an error instead of an empty path. Additionally, `vault/namespace_store.go` is updated to re-route a namespace header of `"root/"` to the empty string, ensuring the root namespace is correctly identified. Together these changes close the privilege escalation by ensuring the literal `"root"` can never be used to target the containing namespace. [patch_id=6640290]
Preconditions
- authThe attacker must have a token with capabilities on `sys/namespaces/*` (or a sub-path) within a non-root namespace.
- networkThe attacker must be able to send requests to the `/sys/namespaces/` endpoints of the OpenBao server.
- configThe victim namespace must be a non-root namespace (the root namespace is immutable and unaffected).
Reproduction
Start a development server: `bao server -dev`. Create a namespace: `bao namespace create victim`. Create a policy inside the victim namespace that grants management of namespaces: `bao policy write -namespace=victim namespace-management - <<EOF\npath "sys/namespaces/*" {\n\tcapabilities = ["read", "update", "patch", "delete"]\n}\nEOF`. Create a token with that policy: `export BAO_TOKEN=$(bao token create -namespace=victim -policy=namespace-management -field=token)`. Delete the victim namespace using the token: `bao namespace delete -namespace=victim root`. [ref_id=2]
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.