## OpenBao 2.5.x Branch Exposed: Reachable gRPC-Go Authorization Bypass (GO-2026-4762)
A critical, reachable vulnerability has been confirmed in the OpenBao project's `release/2.5.x` branch. The security flaw, identified as GO-2026-4762, is an authorization bypass in the gRPC-Go library, stemming from a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerability is not just present in the codebase but is actively reachable through specific call paths, meaning the exploit surface is live and accessible.

The vulnerability resides within the `google.golang.org/grpc` dependency. The affected code locations within the OpenBao repository are pinpointed to `command/agent.go:795` in the `Run` function, and `vault/request_forwarding.go:168-169` within the `Handoff` functions. These are core components for agent operation and internal request forwarding, indicating the flaw could impact fundamental security and communication layers of the software. A fix is available in version v1.79.3 of the underlying library.

This finding places immediate pressure on any deployment or downstream project relying on the OpenBao `release/2.5.x` branch. The confirmed reachable nature of the flaw elevates it from a theoretical concern to an active security risk requiring urgent remediation. Organizations and developers must assess their exposure and plan for an upgrade path, as the vulnerability could allow unauthorized access or privilege escalation through the gRPC interface, a critical channel for distributed system communication.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, open-source, grpc, authorization-bypass
- **Credibility**: unverified
- **Published**: 2026-03-29 02:26:50
- **ID**: 39446
- **URL**: https://whisperx.ai/en/intel/39446