Privilege Escalation in OpenBao Identity Management System
CVE-2025-64761

7.5HIGH

Key Information:

Vendor

Openbao

Status
Openbao
Vendor
CVE Published:
25 November 2025

What is CVE-2025-64761?

OpenBao, an open-source identity-based secrets management system, contains a vulnerability that allows a privileged operator to exploit the identity group subsystem. Specifically, operators with access to identity/groups endpoints can add root policies to group identities, enabling them or others to escalate permissions within the system. This poses a significant risk, especially when an operator lacks policy access yet can leverage the root namespace to gain unauthorized privileges. The issue has been addressed in version 2.4.4.

Affected Version(s)

openbao < 2.4.4

References

https://github.com/openbao/openbao/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openbao/openbao/pull/2143
x_refsource_MISC
https://github.com/openbao/openbao/commit/16bb0ccd37a5029...
x_refsource_MISC

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.