OpenBao 2.5.x Branch Exposed to HTTP/2 Infinite Loop Vulnerability GO-2026-4918

A reachable security vulnerability has been confirmed in OpenBao's release/2.5.x branch, identified as GO-2026-4918. The flaw resides in the HTTP/2 transport implementation within golang.org/x/net, where processing a SETTINGS frame with a SETTINGS_MAX_FRAME_SIZE value of zero triggers an infinite loop of CONTINUATION frame writes. Govulncheck analysis verified that vulnerable code paths in OpenBao are actively reachable, meaning the issue is not theoretical—it can be triggered through specific attack vectors.

The affected dependencies include github.com/influxdata/influxdb1-client and golang.org/x/net prior to v0.53.0. Two specific code locations have been flagged as vulnerable: builtin/credential/kerberos/cmd/login-kerb/main.go at line 110 within the main function, and plugins/database/influxdb/connection_producer.go at line 156 within the Close function. OpenBao, a community-driven fork of HashiCorp Vault, inherits this exposure through its dependency chain. The vulnerability has been patched in golang.org/x/net version 0.53.0, but the fix must propagate through dependent modules to fully resolve the risk.

This vulnerability presents a denial-of-service risk for deployments leveraging OpenBao's Kerberos authentication or InfluxDB database plugins. An attacker able to send crafted HTTP/2 SETTINGS frames could force affected services into an infinite loop, consuming CPU resources and potentially degrading or halting operations. Organizations running OpenBao 2.5.x should evaluate their exposure, particularly where Kerberos credential handling or InfluxDB integration is enabled, and monitor for upstream patches that incorporate the corrected golang.org/x/net version.