CVE-2025-64761: Openbao Privilege Escalation Vulnerability

CVE-2025-64761 Overview

CVE-2025-64761 is a privilege escalation vulnerability in OpenBao, an open source identity-based secrets management system. Versions prior to 2.4.4 permit a privileged operator with access to identity group endpoints to attach a root policy to an identity group. This action elevates the operator's effective permissions, or those of another user in the targeted group, to root-equivalent within the OpenBao system. The vulnerability is tracked under [CWE-266: Incorrect Privilege Assignment]. The OpenBao maintainers addressed the issue in version 2.4.4.

Critical Impact

An operator without direct policy access can obtain root-equivalent control over OpenBao secrets, configurations, and authentication backends by manipulating identity group policy assignments.

Affected Products

• OpenBao versions prior to 2.4.4
• OpenBao deployments where operators have access to identity/groups endpoints in the root namespace
• OpenBao configurations where operators lack direct policy management permissions but retain identity group management privileges

Discovery Timeline

• 2025-11-25 - CVE-2025-64761 published to NVD
• 2025-12-01 - Last updated in NVD database

Technical Details for CVE-2025-64761

Vulnerability Analysis

OpenBao implements a policy system that controls access to secrets engines, authentication methods, and system endpoints. Policies are attached to tokens, entities, and identity groups, with the root policy granting unrestricted access to all paths and operations. The identity group subsystem is designed to aggregate users and assign shared policies, but the access control around policy attachment did not enforce separation between identity management and policy management privileges.

The flaw allows an operator with permissions on identity/groups endpoints to add the root policy directly to a group. Membership in that group then confers root-equivalent capabilities. This bypasses the expected segregation between operators who manage identity structures and operators authorized to grant policies.

The vulnerability is most relevant in environments where the principle of least privilege is enforced through role separation. An operator who was deliberately denied policy write access could still escalate to root by routing the assignment through identity group membership. Operators who already have policy write access could achieve the same outcome by creating or modifying policies with the sudo capability, so the issue principally affects deployments that rely on identity-only operator roles.

Root Cause

The root cause is incorrect privilege assignment [CWE-266] in the identity group policy attachment logic. The endpoint did not verify that the calling operator possessed the equivalent privileges of the policies being attached. As a result, root and other privileged policies could be applied through identity group operations without a corresponding policy-management permission check.

Attack Vector

An authenticated operator in the root namespace with access to identity/groups endpoints sends a request to create or update a group, including root in the group's policy list. After joining the group as a member, or having another principal joined to it, the attacker inherits root-equivalent permissions. The attack requires network access to the OpenBao API and existing high-privilege identity management credentials.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-7ff4-jw48-3436 and the upstream patch commit for the authoritative technical description.

Detection Methods for CVE-2025-64761

Indicators of Compromise

• Audit log entries showing writes to identity/group or identity/group/id/* paths where the policy list contains root or policies with sudo capability.
• Unexpected membership changes adding operator entities to identity groups associated with elevated policies.
• Token issuance or renewal events for entities whose effective policy set suddenly includes root.

Detection Strategies

• Enable and forward OpenBao audit device logs to a centralized log platform and alert on any modification of identity groups that includes the root policy.
• Baseline the expected policy list per identity group and detect drift, particularly the addition of privileged or sudo-capable policies.
• Correlate identity group changes with subsequent privileged API actions performed by group members within a short time window.

Monitoring Recommendations

• Continuously monitor the OpenBao API endpoints identity/group, identity/group-alias, and entity-to-group associations for high-impact mutations.
• Track the OpenBao deployed version through configuration management and alert on instances running below 2.4.4.
• Review periodic exports of group-to-policy mappings against an approved-state inventory.

How to Mitigate CVE-2025-64761

Immediate Actions Required

• Upgrade OpenBao to version 2.4.4 or later on all nodes in the cluster.
• Audit all existing identity groups in the root namespace and remove the root policy or any unintended sudo-capable policies.
• Review the policy capabilities of every operator with access to identity/groups endpoints and reduce scope where role separation is required.

Patch Information

The issue was fixed in OpenBao 2.4.4 via pull request #2143 and merged in commit 16bb0ccd37a502930a289d434cbe4e7b4edd66e5. Operators should apply the upgrade following the standard OpenBao rolling upgrade procedure.

Workarounds

• Restrict access to identity/group and related identity write endpoints to operators who are already authorized to manage policies.
• Apply policies that explicitly deny modification of identity groups for operators that should not hold root-equivalent capabilities.
• Use namespaces to isolate identity management functions away from the root namespace where feasible.

# Example policy restricting identity group writes in the root namespace
path "identity/group" {
  capabilities = ["deny"]
}

path "identity/group/*" {
  capabilities = ["deny"]
}