OpenBao 2.4.x Branch Exposed: Critical gRPC-Go Authorization Bypass (GO-2026-4762) Found Reachable

A critical, reachable security vulnerability has been identified in the OpenBao project's `release/2.4.x` branch, posing a direct risk of authorization bypass. The flaw, tracked as GO-2026-4762, resides in the gRPC-Go library and is triggered by a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerability is not just present but actively reachable through the project's source code, meaning the exploit path is live and functional within the current codebase.

The vulnerability affects core components of OpenBao's architecture. Specific, reachable call paths have been pinpointed in the agent and request forwarding systems, including `command/agent.go:794` in the `Run` function and `vault/request_forwarding.go:166-167` within the `Handoff` functions. These locations are integral to the secure operation and communication of the vault software, handling agent execution and internal request routing between cluster nodes. The issue is fixed in gRPC-Go version v1.79.3, indicating the OpenBao branch is currently running a vulnerable version of this critical dependency.

This finding places immediate scrutiny on any deployment or development work based on the OpenBao 2.4.x release line. The reachable nature of the flaw elevates it from a theoretical concern to an actionable security threat, potentially allowing unauthorized access or privilege escalation through the gRPC interface. Organizations and developers relying on this branch must assess their exposure and prioritize an upgrade path to incorporate the patched library version. The presence of the vulnerability in testing infrastructure (`vault/testing.go`) further underscores its pervasive integration within the codebase.