OpenBao 2.5.x Branch Exposed: Reachable gRPC-Go Authorization Bypass (GO-2026-4762) Found in Agent & Forwarding Code

A critical, reachable vulnerability has been confirmed in the OpenBao project's `release/2.5.x` branch, posing a direct authorization bypass risk. The security flaw, tracked as GO-2026-4762, resides within the gRPC-Go library and is exploitable due to a missing leading slash in the `:path` header. Automated analysis by `govulncheck` has identified specific, active call paths within OpenBao's codebase that reach this vulnerable library function, meaning the exposure is not just theoretical but practically accessible to potential attackers.

The vulnerability is rooted in the `google.golang.org/grpc` package and is fixed in version v1.79.3. Within the OpenBao repository, the reachable paths are pinpointed to core operational functions: `command/agent.go:795` within the `Run` function, and `vault/request_forwarding.go:168-169` within the `Handoff` and `Handoff$2` functions. These locations are central to the agent's execution and the cluster's internal request forwarding mechanisms, indicating that the flaw could impact fundamental security and communication layers of a running OpenBao deployment.

This finding places immediate pressure on any deployment or downstream project relying on the affected OpenBao branch. The presence of a reachable authorization bypass in such a critical infrastructure component—a vault and secrets manager—signals a high-priority security event. Maintainers and users must assess their exposure and prioritize an upgrade path to a version incorporating the patched gRPC-Go library (v1.79.3 or later) to mitigate the risk of unauthorized access through the identified gRPC channels.