OpenBao 2.4.x Release Branch Exposes Reachable Cryptographic Vulnerability (GO-2026-4550)

A reachable cryptographic vulnerability has been confirmed in the `release/2.4.x` branch of the OpenBao secrets management software. The security flaw, tracked as GO-2026-4550, stems from an incorrect calculation in the secp384r1 CombinedMult function within the Cloudflare CIRCL library. Govulncheck analysis confirms the vulnerable code is present and reachable through multiple call paths within the OpenBao codebase, directly impacting core encryption and decryption functions.

The vulnerability is located in the `github.com/cloudflare/circl` dependency. Within OpenBao, the affected code paths are critical to its data sealing and PGP key handling operations. Specifically, the flaw touches the `DecryptBytes` and `EncryptShares` functions in `helper/pgpkeys/encrypt_decrypt.go`, as well as the seal initialization in `vault/seal.go`. This places the integrity of encrypted secrets and cryptographic operations at potential risk, as the underlying elliptic curve arithmetic is compromised.

The issue is fixed in version v1.6.3 of the affected library. The presence of this reachable vulnerability in an active release branch of a security-critical application like OpenBao—a HashiCorp Vault fork—raises immediate concerns for deployments using this version. It signals a pressing need for dependency updates and code audits to mitigate the risk of exploitation in systems handling sensitive cryptographic material.