OpenBao Plugins Main Branch Exposed: GO-2026-4762 gRPC-Go Authorization Bypass Vulnerability

A critical, reachable vulnerability has been confirmed in the main branch of the OpenBao plugins repository, exposing a potential authorization bypass in the core gRPC-Go library. The flaw, tracked as GO-2026-4762, stems from a missing leading slash in the `:path` header, which could allow unauthorized access to protected functions. Govulncheck analysis confirms the vulnerability is actively reachable through the project's source code, signaling an immediate security risk for any deployments using the affected branch.

The vulnerability is fixed in gRPC-Go version v1.79.3, but the openbao/openbao-plugins repository on its `main` branch remains vulnerable. The reachable call paths are traced directly to key internal functions: `internal/logical/testing.go:202` and `:215` within the `Test` function, as well as `secrets/nomad/cmd/main.go:24` in the `main` function. These locations indicate the flaw is not dormant but integrated into logical testing and secret management components, which are central to the plugin system's operation and security validation.

This finding places immediate pressure on developers and organizations relying on OpenBao for secrets management and plugin infrastructure. The integration of a reachable gRPC authorization bypass into core testing and command logic raises significant concerns about the integrity of authentication flows. Until the repository is updated to incorporate the patched library version, any system built from the current `main` branch inherits this vulnerability, potentially compromising the security boundary between authorized and unauthorized gRPC requests.