OpenBao Plugins Main Branch Exposed: Critical gRPC Authorization Bypass (GO-2026-4762) Found Reachable

A critical, reachable vulnerability has been identified in the main branch of the OpenBao openbao-plugins repository, posing a direct risk of authorization bypass. The flaw, tracked as GO-2026-4762, resides within the gRPC-Go library and is exploitable due to a missing leading slash in the HTTP/2 :path header. Automated security scanning via govulncheck has confirmed that the vulnerable code is actively reachable through multiple call paths within the project's source, meaning the theoretical weakness is a practical, exploitable entry point.

The vulnerability stems from specific versions of core dependencies, including `github.com/hashicorp/[email protected]` and `github.com/openbao/openbao/sdk/[email protected]`. The issue is fixed in `google.golang.org/grpc` version v1.79.3. The reachable paths are pinpointed to key internal functions: `internal/logical/testing.go:202` and `:215` within the `Test` function, and `secrets/nomad/cmd/main.go:24` in the `main` function. This indicates the flaw is not buried in unused code but is integrated into logical testing frameworks and a core secrets management plugin for Nomad.

This finding places immediate pressure on any downstream systems or services built with or depending on the affected OpenBao plugin versions. The authorization bypass risk could allow unauthorized access to sensitive logical operations or secret management functions typically guarded by gRPC-based authentication. While a patch is available in the upstream gRPC library, the onus is now on the OpenBao project and its users to audit their dependency trees, update to the fixed version, and assess potential exposure in their deployments.