Platform
go
Component
github.com/openbao/openbao
Fixed in
2.3.3
2.3.2
0.0.0-20250806193240-9b0b5d4f345f
CVE-2025-54996 describes a privilege escalation vulnerability within the OpenBao Root Namespace Operator. This flaw allows an attacker to potentially elevate token privileges, leading to unauthorized access and control. The vulnerability affects versions of OpenBao prior to v2.3.2. A fix has been released in version v2.3.2.
The core of this vulnerability lies in the Root Namespace Operator's handling of tokens. An attacker exploiting this flaw could potentially gain elevated privileges within the Kubernetes cluster where OpenBao is deployed. This could manifest as the ability to create, modify, or delete resources, access sensitive data, or even compromise the entire cluster. The impact is particularly severe in multi-tenant environments or where OpenBao is used to manage critical infrastructure. While specific attack vectors are not detailed, the potential for privilege escalation suggests a broad attack surface.
As of the publication date (2025-08-11), there is no public proof-of-concept (POC) available for CVE-2025-54996. The vulnerability has not been added to the CISA KEV catalog. Given the nature of the vulnerability (privilege escalation), it is reasonable to assume that it could be targeted by attackers, especially those with expertise in Kubernetes security. The severity rating of HIGH indicates a significant risk.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54996 is to upgrade OpenBao to version v2.3.2 or later. This version contains the necessary fixes to prevent the privilege escalation vulnerability. If an immediate upgrade is not feasible, consider implementing stricter Kubernetes Role-Based Access Control (RBAC) policies to limit the potential impact of a successful exploit. Regularly review OpenBao's configuration and audit logs for any suspicious activity. After upgrading, confirm the fix by verifying that the Root Namespace Operator correctly enforces access controls and prevents unauthorized privilege elevation.
Actualice OpenBao a la versión 2.3.2 o superior. Como alternativa, utilice la función `denied_parameters` en las políticas que tengan acceso a los endpoints de identidad afectados para mitigar el riesgo de elevación de privilegios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54996 is a HIGH severity vulnerability in OpenBao versions before v2.3.2 that allows an attacker to potentially elevate token privileges, leading to unauthorized access and control within a Kubernetes cluster.
If you are using OpenBao versions prior to v2.3.2, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
The recommended fix is to upgrade OpenBao to version v2.3.2 or later. This version includes the necessary patches to address the privilege escalation vulnerability.
As of the current date, there is no confirmed evidence of active exploitation. However, given the severity of the vulnerability, it is likely to be targeted by attackers.
Refer to the OpenBao project's official advisory channels and documentation for the most up-to-date information and security announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.