OpenBao HTTP/2 Transport Reachable Vulnerability Exposes InfluxDB, Kerberos Modules to Infinite Loop

A confirmed reachable security flaw has been identified in OpenBao's release/2.4.x branch, raising immediate concerns for deployments relying on affected HTTP/2 transport components. The vulnerability, tracked as GO-2026-4918, stems from an infinite loop condition in the HTTP/2 transport implementation within golang.org/x/[email protected]. When the transport processes a malformed SETTINGS frame containing a SETTINGS_MAX_FRAME_SIZE value of 0, it becomes trapped writing CONTINUATION frames indefinitely, creating a denial-of-service condition that can freeze affected services.

Govulncheck analysis confirms the reachable attack surface exists in two critical code paths: the Kerberos credential command handler at builtin/credential/kerberos/cmd/login-kerb/main.go and the InfluxDB database plugin connection manager at plugins/database/influxdb/connection_producer.go. Both components transitively depend on vulnerable versions of golang.org/x/net and influxdb1-client, exposing authentication and database integration layers to potential exploitation. The flaw was patched in golang.org/x/net v0.53.0, but OpenBao deployments running earlier versions of the dependency remain at risk.

For operators running OpenBao instances with Kerberos authentication or InfluxDB database plugins, this finding signals a concrete supply-chain exposure in widely-used open-source infrastructure software. The reachable classification indicates that an attacker positioned to send malicious HTTP/2 frames—particularly through man-in-the-middle or server-compromise scenarios—could trigger the infinite loop. Security teams should audit golang.org/x/net dependency versions, prioritize updates to v0.53.0 or later, and evaluate network exposure for affected transport layers.