OpenBao 2.4.x Branch Exposed: Critical gRPC-Go Authorization Bypass (GO-2026-4762) Found Reachable

A critical, reachable security vulnerability has been identified in the `release/2.4.x` branch of the OpenBao project. The flaw, tracked as GO-2026-4762, is an authorization bypass within the gRPC-Go library, stemming from a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerable code is actively reachable within OpenBao's source, creating a direct path for potential exploitation.

The vulnerability resides in the `google.golang.org/grpc` dependency. Specific call paths within the OpenBao codebase that trigger the flaw have been pinpointed, including functions in core operational files: `command/agent.go:794` (`Run`), `vault/request_forwarding.go:166-167` (`Handoff`), and `vault/testing.go:1820` (`StopCore`). This indicates the weakness is not dormant but integrated into mechanisms handling agent execution, request forwarding, and core lifecycle management.

The issue is fixed in gRPC-Go version v1.79.3. The presence of this reachable vulnerability in an active release branch of a security-focused secret management tool represents a significant integrity risk. It places downstream deployments and integrations that rely on the `release/2.4.x` branch under immediate scrutiny, requiring priority patching or dependency updates to mitigate the authorization bypass threat.