OpenBao Security Advisory: Privileged Operator Identity Group Root Escalation Vulnerability (GO-2025-4156)

A security vulnerability has been identified in OpenBao, an open-source secrets management and encryption tool. The vulnerability, tracked as GO-2025-4156, is a Privileged Operator Identity Group Root Escalation flaw present in the `github.com/openbao/openbao` module. The issue affects versions before v2.4.4. The vulnerability is considered reachable, indicating that the affected code paths can be triggered. The advisory notes that the source contains additional affected versions that could not be automatically mapped to standard Go module versions, which may cause false-positive reports from vulnerability scanners. The affected code locations span multiple authentication and internal HTTP handling modules, including AWS auth (`auth/aws/cli.go`, `auth/aws/pkcs7/pkcs7.go`, `auth/aws/pkcs7/verify.go`), GCP auth (`auth/gcp/authorizer_client_gcp.go`, `auth/gcp/cli.go`), GitHub auth (`auth/github/path_config.go`), and core HTTP handlers (`internal/http/cors.go`, `internal/http/handler.go`). The specific functions implicated are `Auth`, `ForMarshalling`, `Error`, `ServiceAccount`, `Help`, `Config`, `wrapCORSHandler$1`, `Handler`, and `Open`. As of this report, a fixed version is not listed (Fixed In: N/A). The finding originates from a `govulncheck` scan of the `openbao/openbao-plugins` repository on the `main` branch.