OpenBao 2.4.x Release Branch Exposes Critical AuthZ Plugin Bypass via Docker Dependency (GO-2026-4887)

A critical security vulnerability has been flagged as reachable within the OpenBao project's stable release branch, exposing a potential authorization bypass through a deeply embedded dependency. The finding, identified as GO-2026-4887, originates from a flaw in the Moby engine (github.com/docker/docker) where oversized request bodies can circumvent AuthZ plugins. This vulnerability is not yet fixed, and its presence in the `release/2.4.x` branch of the open-source secrets management tool raises immediate security concerns for downstream deployments.

The govulncheck scan pinpointed the vulnerable dependency chain, which includes `github.com/docker/[email protected]+incompatible` alongside other libraries like `gocql` and `otelhttp`. The core issue allows an attacker to bypass authorization controls by crafting specific, oversized requests. The vulnerability's reachable status indicates that the exploitable code paths are active within OpenBao's codebase. Specific affected locations have been mapped to internal functions within the PKI and credential management subsystems, including `builtin/logical/pki/acme_errors.go` and `builtin/credential/kerberos/cmd/login-kerb/main.go`.

This discovery places significant pressure on the OpenBao maintainers and any organization running the 2.4.x release series. The integration of a vulnerable Docker library within a security-critical vault product creates a direct attack vector that could compromise the integrity of secret management and PKI operations. The lack of a fixed version (`Fixed In: N/A`) escalates the risk, requiring immediate mitigation strategies such as dependency patching or configuration workarounds. The situation underscores the persistent challenge of securing complex software supply chains, where a single transitive dependency in a core release can introduce severe systemic weaknesses.