216.73.217.86

CVE-2025-64761

· Published 25/11/2025 01:15 · Modified 01/12/2025 15:44

Labels: CVE-2025-64761 2025-11-25CVE-2025-64761CWE-266[email protected]

Essential information

Published
25/11/2025 01:15
Modified
01/12/2025 15:44
Author
Creator
CVSS
7.5 HIGH (v3) 7.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openbao / openbao cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

References