CVE-2025-64761
OpenBao Privileged Operator Identity Group Root Escalation
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4.
| CWE | CWE-266 |
| Vendor | openbao |
| Product | openbao |
| Published | Nov 25, 2025 |
| Last Updated | Feb 26, 2026 |
Get instant alerts for openbao openbao
Be the first to know when new unknown vulnerabilities affecting openbao openbao are published โ delivered to Slack, Telegram or Discord.