OpenBao Secrets Operator Exposes Reachable HTTP/2 Infinite Loop Vulnerability (GO-2026-4918)

A reachable denial-of-service vulnerability has been confirmed in openbao/openbao-secrets-operator, the Kubernetes secrets management operator forked from HashiCorp Vault. Security scanning identified GO-2026-4918, a critical flaw in golang.org/x/net that triggers an infinite loop when processing malformed HTTP/2 SETTINGS frames. Govulncheck has verified the vulnerability is reachable in production code paths, specifically within the AWS credential handling logic at internal/vault/credentials/aws.go:151.

The vulnerability exploits the HTTP/2 protocol implementation in golang.org/x/net. When a malicious server sends a SETTINGS_MAX_FRAME_SIZE with a value of 0, the transport enters an infinite loop of writing CONTINUATION frames, effectively hanging the connection and consuming resources indefinitely. The affected dependency chain includes github.com/aws/[email protected] and github.com/hashicorp/go-secure-stdlib/awsutil, both widely used in cloud infrastructure tooling. A fix exists in golang.org/x/net v0.53.0, but the openbao-secrets-operator main branch remains exposed until dependencies are updated.

The implications are significant for Kubernetes environments relying on OpenBao for secrets injection. The GetCreds function, which handles AWS credential retrieval, represents a critical authentication pathway. A compromised or malicious HTTP/2 endpoint could trigger the infinite loop, causing operator hangs, credential refresh failures, and potential cascading outages across dependent workloads. Organizations running the openbao-secrets-operator should immediately audit their deployed versions and prioritize dependency updates to golang.org/x/net v0.53.0 or later. The vulnerability underscores the ongoing security risks inherited through transitive dependencies in infrastructure tooling, particularly in the Go ecosystem where HTTP/2 is deeply integrated into standard library components.