## OpenBao 2.4.x Release Branch Exposes Critical Moby Docker Vulnerability (GO-2026-4883)
A critical, reachable vulnerability in the Moby Docker engine has been identified within the OpenBao secrets management platform's active release branch. The security flaw, tracked as GO-2026-4883, is an off-by-one error in Docker's plugin privilege validation. This vulnerability is not theoretical; automated scanning confirms it is reachable within the `openbao/openbao` repository on the `release/2.4.x` branch, directly exposing a core security dependency.

The vulnerability stems from the `github.com/docker/docker` dependency at version `v28.3.3+incompatible`. It is also linked to other dependencies including `github.com/gocql/gocql` and `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`. Crucially, the advisory states a fixed version is "N/A," indicating no immediate patch is available from the upstream source. The flaw manifests in multiple critical code paths within OpenBao, including functions in its PKI (Public Key Infrastructure) and credential management systems, such as `builtin/logical/pki/acme_errors.go` and `builtin/credential/kerberos` components.

This finding places immediate pressure on OpenBao maintainers and downstream users. The integration of an unpatched, privilege-escalation vulnerability in a tool designed for secret storage creates a severe security contradiction. Organizations relying on the 2.4.x release for production secrets management now face a significant risk, as the vulnerability is embedded in live, reachable code. The situation demands urgent scrutiny of deployment architectures and may force a complex dependency fork or workaround until Moby provides an official fix.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, cybersecurity, docker, secrets-management, open-source
- **Credibility**: unverified
- **Published**: 2026-04-05 01:26:52
- **ID**: 50266
- **URL**: https://whisperx.ai/en/intel/50266