## OpenBao Plugins Exposed: Critical AuthZ Bypass in Docker Dependency (GO-2026-4887) A critical security vulnerability has been identified within the core dependencies of the OpenBao open-source secrets management platform. The finding, tracked as GO-2026-4887, reveals a reachable flaw in the Moby (Docker) engine that allows for an authorization (AuthZ) plugin bypass when processing oversized request bodies. This vulnerability is not an isolated library issue but is directly integrated into the `openbao/openbao-plugins` repository's main branch, exposing multiple critical authentication and secrets management functions. The vulnerability is embedded in the `github.com/docker/docker` dependency at version `v28.3.3+incompatible`. It is not merely a theoretical risk; the `govulncheck` scanner confirms the code path is reachable, meaning the flaw can be actively exploited. The exposure is widespread across the plugin codebase, affecting key security handlers. Specifically, the vulnerable code is present in the `Auth` function within the AWS CLI authentication module (`auth/aws/cli.go:41`), the `Open` function in the internal HTTP handler (`internal/http/handler.go:703`), and the `Do` function within the Azure secrets provider (`secrets/azure/provider.go:140`). This creates a direct and severe risk for any deployment using OpenBao plugins for cloud secrets management (AWS, Azure) or service discovery (Consul). An attacker could potentially bypass critical authorization checks by sending specially crafted, oversized requests. The most alarming detail is that a fixed version for this specific dependency is currently listed as "N/A," indicating no immediate patch is available from the upstream source. This leaves OpenBao deployments reliant on these plugins in a state of heightened exposure, requiring immediate architectural review and potential workarounds to mitigate the active bypass risk. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: vulnerability, security, open-source, docker, secrets-management - **Credibility**: unverified - **Published**: 2026-04-06 01:27:01 - **ID**: 50888 - **URL**: https://whisperx.ai/en/intel/50888