OpenBao 2.5.x Branch Exposes Critical gRPC Authorization Bypass (GO-2026-4762)

A critical, reachable vulnerability has been confirmed in the OpenBao project's `release/2.5.x` branch, exposing a potential authorization bypass in its core gRPC communication layer. The flaw, tracked as GO-2026-4762, stems from a missing leading slash in the `:path` header within the `google.golang.org/grpc` dependency, which could allow unauthorized access to protected functions. The govulncheck tool has identified three specific, reachable call paths within the OpenBao codebase that directly trigger this vulnerability, confirming an active and exploitable risk.

The vulnerable code resides in key components responsible for agent execution and request forwarding. The affected locations are `command/agent.go:795` in the `Run` function, and `vault/request_forwarding.go:168-169` within the `Handoff` functions. These paths are integral to the system's operation, handling core agent logic and inter-node communication. The issue is present in multiple dependencies, including `github.com/hashicorp/[email protected]` and `golang.org/x/[email protected]`, but is specifically fixed in `google.golang.org/[email protected]`.

This finding places immediate pressure on all deployments using the OpenBao 2.5.x release series. The reachable nature of the flaw means the vulnerable code is not dormant; it is actively used in standard operations, significantly raising the risk of exploitation. Organizations relying on OpenBao for secrets management and secure service communication must prioritize assessing their exposure and applying the patched gRPC dependency. The presence of this vulnerability in such a foundational security project underscores the persistent challenge of securing the software supply chain, even within tools designed for high-assurance environments.