## OpenBao Secrets Operator Exposes Sensitive HTTP Credentials in Logs via GO-2024-2947
A critical security vulnerability in the OpenBao Secrets Operator's main branch can leak sensitive HTTP basic authentication credentials directly into log files. The flaw, identified as GO-2024-2947, is confirmed as 'reachable' by automated scanning tools, meaning the vulnerable code path is active and exploitable in the current codebase. This creates a direct channel for unauthorized access to secrets managed by the operator, a core component for handling sensitive data in cloud-native environments.

The vulnerability originates in the `github.com/hashicorp/go-retryablehttp` library used by the operator. Specifically, the code fails to sanitize URLs before writing them to logs. This oversight means that any HTTP request containing basic auth credentials (username and password in the URL) would have those secrets written in plaintext to the application's log files. The affected code is located at `internal/vault/client.go:515` within the `Write` function of the openbao/openbao-secrets-operator repository.

While a fix is available in version v0.7.7, the persistence of this flaw in the main branch signals an ongoing risk for any deployments not yet updated. The exposure of authentication credentials in logs represents a severe data leak, potentially compromising the entire secrets management system the operator is designed to protect. This incident places immediate pressure on development and security teams to audit their deployments and upgrade to the patched version to prevent credential harvesting from log aggregation systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, security, secrets-management, go, logging
- **Credibility**: unverified
- **Published**: 2026-03-31 02:27:04
- **ID**: 42228
- **URL**: https://whisperx.ai/en/intel/42228