CVE-2025-55001
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
In short
OpenBao's LDAP authentication allows attackers to bypass multi-factor authentication (MFA) requirements by manipulating usernames when a specific setting is enabled. An attacker can use a crafted username to skip MFA checks that should be enforced.
Technical detail
When LDAP auth method uses username_as_alias=true, user-supplied usernames are not normalized before being used as entity aliases for policy and MFA enforcement. This allows attackers to bypass alias-specific MFA requirements by supplying alternate username formats. The vulnerability exists in OpenBao versions 2.3.1 and below, with fixes applied in version 2.3.2.
Summary generated and translated by AI from the official description.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Affected products
openbao · openbaoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →