CVE-2025-64761: OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
(updated )
Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user’s permissions in the system. Specifically this is an issue when:
- An operator in the root namespace has access to
identity/groupsendpoints. - An operator does not have policy access.
Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.
References
- github.com/advisories/GHSA-7ff4-jw48-3436
- github.com/openbao/openbao
- github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5
- github.com/openbao/openbao/commit/747a1378c2756f86296ad9450f74f6faeecc2eb7
- github.com/openbao/openbao/pull/2143
- github.com/openbao/openbao/releases/tag/v2.4.4
- github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436
- nvd.nist.gov/vuln/detail/CVE-2025-64761
Code Behaviors & Features
Detect and mitigate CVE-2025-64761 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →