OpenBao 2.4.x Release Branch Exposes Reachable Cryptographic Vulnerability GO-2026-4550

A reachable cryptographic vulnerability has been confirmed in the `release/2.4.x` branch of the OpenBao secrets management software. The security flaw, tracked as GO-2026-4550, stems from an incorrect calculation in the secp384r1 CombinedMult function within the Cloudflare CIRCL library. Govulncheck analysis confirms the vulnerable code is present and reachable through multiple call paths in the OpenBao codebase, directly impacting core encryption and decryption functions.

The vulnerability is located in the `github.com/cloudflare/circl` dependency. Within OpenBao, the affected code paths are critical to the software's secure operation, including the `DecryptBytes` and `EncryptShares` functions within `helper/pgpkeys/encrypt_decrypt.go`, as well as the seal initialization in `vault/seal.go`. These functions are central to OpenBao's ability to protect sensitive data. The issue has been fixed in version v1.6.3 of the underlying library, but the OpenBao release branch remains exposed.

This finding places immediate scrutiny on deployments using the OpenBao 2.4.x release line. The reachable nature of the flaw means the vulnerable code can be triggered during normal operation, potentially compromising the integrity of cryptographic operations used for sealing and encrypting secrets. Organizations relying on this branch for production secrets management now face a pressing security risk, necessitating an assessment of their dependency chain and an urgent path to remediation.