OpenBao 2.5.x Branch Exposed to Critical gRPC Authorization Bypass (GO-2026-4762)

A critical, reachable vulnerability has been confirmed in the OpenBao project's `release/2.5.x` branch, exposing the secrets management platform to a potential authorization bypass. The flaw, identified as GO-2026-4762, resides within the gRPC-Go library and stems from a missing leading slash in the `:path` header. This specific coding error can be exploited to circumvent authorization controls, posing a direct threat to the integrity of protected systems and data.

The vulnerability is triggered through three distinct call paths within the OpenBao codebase, all linked to core request-handling functions. The affected locations are `command/agent.go:795` in the `Run` function, and `vault/request_forwarding.go:168-169` within the `Handoff` functions. These paths are confirmed as reachable, meaning the vulnerable code is actively executable within the application's normal operation. The issue originates from outdated dependencies, specifically `google.golang.org/[email protected]`, and has been patched in version `v1.79.3` of the gRPC module.

This finding places immediate pressure on all deployments and downstream projects relying on the affected OpenBao branch. The presence of a reachable authorization bypass in a security-critical platform like OpenBao significantly raises the risk of privilege escalation and unauthorized access to sensitive configurations or secrets. Administrators and developers must prioritize upgrading the gRPC dependency to the fixed version to mitigate this exposure, as the flaw is not merely theoretical but actively present in live code paths.