OpenBao 2.4.x Release Branch Exposes Reachable Cryptographic Vulnerability GO-2026-4550

A reachable cryptographic vulnerability, GO-2026-4550, has been confirmed in the `release/2.4.x` branch of the OpenBao secrets management software. The govulncheck tool has identified a call path from OpenBao's source code to a flawed calculation in the Cloudflare CIRCL library, specifically within its secp384r1 CombinedMult function. This finding indicates that the vulnerable code is not just present but is actively reachable during execution, posing a direct security risk to systems using this version for PGP-based encryption operations.

The vulnerability stems from an incorrect calculation in the `github.com/cloudflare/circl` library, which OpenBao uses for cryptographic operations. The affected code paths are concentrated in the `helper/pgpkeys` package, specifically within the `DecryptBytes` and `EncryptShares` functions, as well as in the `vault/seal.go` initialization. These functions are core to OpenBao's ability to encrypt and decrypt sensitive data shares. The flaw is fixed in version v1.6.3 of the underlying library, but the OpenBao branch remains exposed.

This reachable vulnerability places any deployment relying on OpenBao's PGP key encryption for seal wrapping or secret sharing at potential risk. The confirmation that the call path is reachable elevates the issue from a theoretical dependency flaw to an actionable security exposure. Administrators of OpenBao, particularly those using the 2.4.x release line for production, must assess their dependency tree and coordinate an upgrade path. The persistence of this vulnerability in an active release branch underscores the challenges of managing transitive dependencies in security-critical open-source infrastructure.