CVE-2025-52894: 
Wolfi vulnerability analysis and mitigation

OpenBao, a software solution for managing sensitive data including secrets, certificates, and keys, was found to contain a security vulnerability (CVE-2025-52894) affecting versions before v2.3.0. The vulnerability was discovered and disclosed on June 25, 2025, allowing attackers to perform unauthenticated and unaudited cancellation of root rekey and recovery rekey operations (NVD, Wiz).

The vulnerability stems from improper input validation (CWE-20) in the rekey operation endpoints, specifically affecting the unauthenticated endpoints under /sys/rekey/* and /sys/rekey-recovery-key/*. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability enables attackers to cause a denial of service by interrupting valid rekey operations. An unauthenticated attacker can call the cancel endpoint (DELETE /sys/rekey/init or DELETE /sys/rekey-recovery-key/init) to disrupt ongoing rekey operations. Additionally, attackers can initiate unauthorized rekey operations, though these operations would not be successful (OpenBao Docs).

A patch is available in OpenBao v2.3.0. For versions 2.2.0 and later, operators can manually set the configuration option disable_unauthed_rekey_endpoints=true to deny these rarely-used endpoints on global listeners. As a temporary workaround, if an active proxy or load balancer is present, operators can deny requests to these endpoints from unauthorized IP ranges. The maintainers plan to set this parameter to true by default in v2.4.0 and provide an authenticated alternative (OpenBao Commit).