## OpenBao Secrets Operator Exposes Sensitive HTTP Credentials in Logs via GO-2024-2947
A reachable vulnerability in the OpenBao Secrets Operator's main branch is leaking sensitive HTTP basic authentication credentials directly into log files. The flaw, tracked as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs within the underlying `github.com/hashicorp/go-retryablehttp` library. This creates a direct path for secrets, including usernames and passwords transmitted via HTTP basic auth, to be inadvertently recorded in plaintext, posing a significant data exposure risk for any deployment using the affected code.

The vulnerability is confirmed as reachable within the `openbao/openbao-secrets-operator` repository, specifically affecting the `main` branch. The problematic code path originates in `internal/vault/client.go` at line 515 within the `Write` function. This issue is not theoretical; the govulncheck tool has identified an active call path from the operator's source code to the vulnerable library function, meaning the exposure mechanism is present and exploitable in current builds.

The primary risk is to any system where the OpenBao Secrets Operator is deployed and interacts with services using HTTP basic authentication. Credentials sent in these requests could be silently captured in application logs, which are often less protected than primary secret stores. This type of information leak is particularly dangerous in automated CI/CD pipelines or containerized environments where logs are aggregated and accessible to a broader range of users or systems. A fix is available in version v0.7.7 of the operator, but any deployment running an earlier version remains exposed until patched.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, security, secrets-management, go, log-leak
- **Credibility**: unverified
- **Published**: 2026-03-28 02:26:49
- **ID**: 38656
- **URL**: https://whisperx.ai/en/intel/38656