N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64761

CVE-2025-64761: OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation

Impact

Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:

An operator in the root namespace has access to identity/groups endpoints.
An operator does not have policy access.

Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.

Patches

Patched in version 2.4.4.

Workarounds

Users should audit the use of identity subsystem and deny operators access if it is not in use.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64761

CVE-2025-64761:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openbao/openbao	go	< 2.4.4	2.4.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the vault/identity_store_groups.go file, specifically within the IdentityStore.handleGroupUpdateCommon function. This function is responsible for updating identity groups. The core of the issue is improper handling of policy name casing. A privileged operator could assign a root policy to an identity group by using a different case variation (e.g., "Root", "rOoT"). The original code used a function (strutil.RemoveDuplicatesStable) that performed case-insensitive comparisons for duplicates but preserved the original casing. This allowed the mixed-case "root" policy to bypass a security check that was explicitly looking for the lowercase "root" string. However, the policy would still be treated as a root policy by the system, leading to privilege escalation. The patch addresses this by replacing the faulty function with strutil.RemoveDuplicates, which normalizes all policy names to lowercase, ensuring that any variation of the "root" policy is caught by the security check. The vulnerability is confined to the identity group update logic, and the identified function is the central point where this logic is executed.

Vulnerable functions

IdentityStore.handleGroupUpdateCommon

vault/identity_store_groups.go

The function `handleGroupUpdateCommon` is responsible for processing updates to identity groups, including the policies associated with them. The vulnerability existed because the function did not properly normalize the case of policy names before checking for the presence of the highly privileged "root" policy. An attacker with sufficient permissions to modify an identity group could add a policy with a name like "Root" or "rOoT". The original code, using `strutil.RemoveDuplicatesStable`, would not lowercase this input, causing the check `slices.Contains(group.Policies, "root")` to fail. However, the underlying policy enforcement mechanism would still treat this policy as equivalent to "root", leading to a privilege escalation. The patch corrects this by using `strutil.RemoveDuplicates`, which ensures all policy names are converted to lowercase, thus preventing the bypass.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64761: OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation

Impact

Patches

Workarounds

CVE-2025-64761:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-64761: OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI