CVE-2025-54998: 
Homebrew vulnerability analysis and mitigation

OpenBao versions 0.1.0 through 2.3.1 contain a vulnerability that allows attackers to bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. The vulnerability (CVE-2025-54998) was discovered and disclosed in August 2025, affecting the authentication components of OpenBao, a software solution designed to manage, store, and distribute sensitive data including secrets, certificates, and keys (GitHub Advisory, HashiCorp Discussion).

The vulnerability stems from inconsistent aliasing between pre-flight and full login request user entity alias attributions. This occurs specifically in the authentication process where different cases of characters in the username could be used to bypass the lockout mechanism when an auth method was not configured to be case sensitive. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to circumvent the user lockout security mechanism designed to prevent brute force attacks against user authentication. This could potentially lead to unauthorized access attempts without triggering the intended security controls (GitHub Advisory).

The vulnerability has been fixed in OpenBao version 2.3.2. For users unable to upgrade immediately, a workaround is available by applying rate-limiting quotas on the authentication endpoints. This can be implemented using the rate-limit quotas feature documented at openbao.org/api-docs/system/rate-limit-quotas/ (GitHub Advisory, HashiCorp Discussion).