OpenBao 2.4.x Branch Exposed: Critical gRPC-Go Authorization Bypass (GO-2026-4762) Found Reachable

A critical, reachable security vulnerability has been identified in the `release/2.4.x` branch of the OpenBao project. The flaw, tracked as GO-2026-4762, is an authorization bypass in the gRPC-Go library, stemming from a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerability is not just present in the codebase but is actively reachable through multiple execution paths, meaning an attacker could potentially exploit it without needing to trigger obscure or dormant code.

The vulnerability resides within the `google.golang.org/grpc` package and affects specific functions in OpenBao's core operational code. The reachable call paths have been pinpointed to four key locations: `command/agent.go:794` in the `Run` function, `vault/request_forwarding.go:166-167` in the `Handoff` functions, and `vault/testing.go:1820` in the `StopCore` function. This mapping indicates the flaw is embedded in both agent runtime logic and critical internal request-handling mechanisms, significantly widening the potential attack surface for any deployment based on this branch.

The fix for this underlying library issue is available in version v1.79.3 of the affected gRPC-Go package. For OpenBao maintainers and downstream users, this creates immediate pressure to audit the `release/2.4.x` branch, assess backport requirements, and update dependencies. The presence of a reachable authorization bypass in a security-focused secret management tool like OpenBao represents a high-severity risk, potentially compromising the integrity of access controls and secret isolation if left unpatched in active deployments.