## OpenBao Secrets Operator Exposed: GO-2024-2947 Vulnerability Leaks Sensitive Auth Credentials to Logs
A confirmed, reachable vulnerability in the OpenBao Secrets Operator's main branch risks leaking sensitive HTTP basic authentication credentials directly into log files. The security flaw, identified as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs within the `github.com/hashicorp/go-retryablehttp` dependency. This creates a direct path for exposure of secrets that the operator is designed to manage.

The vulnerability is present in the `openbao/openbao-secrets-operator` repository and is triggered by code in `internal/vault/client.go` at line 515 within the `Write` function. The operator depends on two specific vulnerable library versions: `github.com/hashicorp/go-retryablehttp@v0.7.1` and `github.com/hashicorp/vault/api@v1.9.2`. The govulncheck tool has verified that the source code contains a reachable call path to this flaw, meaning the vulnerable code can be executed under normal operation, increasing the immediate risk.

The fix is available in `github.com/hashicorp/go-retryablehttp` version `v0.7.7`. Until the operator is updated to incorporate this patched dependency, any deployment using the current `main` branch code could inadvertently write credentials to disk. This vulnerability represents a critical failure in the security boundary of a secrets management tool, potentially exposing the very data it is meant to protect to system administrators, attackers with log access, or automated log aggregation systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, security, secrets-management, go, log-leak
- **Credibility**: unverified
- **Published**: 2026-04-01 04:27:01
- **ID**: 44587
- **URL**: https://whisperx.ai/en/intel/44587