OpenBao 2.5.x Branch Exposed: Reachable gRPC-Go Authorization Bypass (GO-2026-4762)

A critical, reachable vulnerability has been confirmed in the OpenBao project's `release/2.5.x` branch. The security flaw, identified as GO-2026-4762, is an authorization bypass in the gRPC-Go library, stemming from a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerability is not just present in the codebase but is actively reachable through specific execution paths, meaning the exploit potential is live and present in this release line.

The vulnerability resides within the `google.golang.org/grpc` package and is fixed in version v1.79.3. Within the OpenBao repository, the reachable call paths trace directly to core operational functions: `command/agent.go:795` in the `Run` function, and `vault/request_forwarding.go:168-169` within the `Handoff` functions. These are not obscure, unused code paths but integral parts of the agent and request forwarding mechanisms, which handle sensitive authentication and data routing tasks. The presence of the flaw in these locations significantly elevates the risk profile.

This finding places immediate pressure on any deployment or downstream project relying on the affected OpenBao 2.5.x branch. The authorization bypass nature of the flaw could allow unauthorized access or privilege escalation in systems where OpenBao manages secrets or access control. While a fix exists in the upstream gRPC-Go library, it must be integrated and propagated into the OpenBao release. The confirmation of reachability transforms this from a theoretical patch advisory into an active operational security warning for infrastructure and security teams.