## OpenBao Secrets Operator Exposed: GO-2024-2947 Vulnerability Leaks HTTP Auth Credentials to Logs
A confirmed, reachable vulnerability in the OpenBao Secrets Operator's main branch risks leaking sensitive HTTP basic authentication credentials directly into log files. The flaw, tracked as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs, potentially exposing usernames and passwords. The govulncheck tool has identified a direct call path to the vulnerable code, confirming the exposure is not just theoretical but actively exploitable in the current codebase.

The vulnerability resides within the `github.com/hashicorp/go-retryablehttp` library used by the operator. Specifically, the affected code is located at `internal/vault/client.go:515` in the `Write` function. This security lapse means that any HTTP request containing basic auth credentials in its URL could have those secrets inadvertently recorded in plaintext within application logs. The issue has been patched in version v0.7.7 of the operator, but any deployment running an earlier version remains at risk.

For teams using the OpenBao Secrets Operator to manage sensitive application secrets, this finding represents a critical insider threat. Log files, often considered lower-security artifacts, could become a treasure trove for attackers with internal access or in the event of a log leak. The exposure underscores the cascading risk of supply chain vulnerabilities, where a flaw in a foundational library like HashiCorp's retryablehttp directly compromises the security posture of dependent projects. Immediate upgrade to v0.7.7 is the only mitigation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, security, supply-chain, secrets-management, logging
- **Credibility**: unverified
- **Published**: 2026-03-26 02:26:57
- **ID**: 34472
- **URL**: https://whisperx.ai/en/intel/34472