OpenBao 2.5.x Branch Exposes Critical gRPC Authorization Bypass (GO-2026-4762)

A critical, reachable vulnerability has been confirmed in the OpenBao secrets management platform, exposing its `release/2.5.x` branch to a gRPC authorization bypass. The flaw, tracked as GO-2026-4762, stems from a missing leading slash in the HTTP/2 `:path` header within the `google.golang.org/grpc` library, a core dependency for inter-service communication. Automated scanning by `govulncheck` has identified specific, active call paths in OpenBao's source code that can trigger this security hole, meaning the vulnerable code is not just present but is actively executable within the application's logic.

The vulnerability is rooted in multiple dependencies, including `github.com/hashicorp/[email protected]` and `google.golang.org/[email protected]`. The issue is fixed in `google.golang.org/grpc` version `v1.79.3`. Within OpenBao, the exploitable paths are pinpointed to critical system functions: `command/agent.go:795` in the `Run` function, and `vault/request_forwarding.go:168-169` within the `Handoff` mechanisms. These locations handle agent operations and internal request forwarding between cluster nodes, core functions for a secrets manager.

This finding places immediate pressure on OpenBao maintainers and downstream users. The reachable nature of the flaw significantly raises the risk of exploitation in deployments using the affected branch, potentially allowing unauthorized access to secured communications or bypassing internal authorization checks. The dependency chain highlights the transitive security risks in complex Go ecosystems, where a vulnerability in a foundational library like gRPC can propagate directly into critical infrastructure software. Organizations running OpenBao 2.5.x must prioritize assessing their exposure and planning an upgrade path to a patched gRPC dependency.