On behalf of the OpenBao project, I welcome collaboration with future researchers. We were not informed of these vulnerabilities before HashiCorp posted their usual CVE bulletins, which is disappointing. (Especially as HashiCorp's Vault no longer has an Open Source edition ;-)
We've triaged as being affected by 8 of the 9 CVEs (in fixing an earlier Cert Auth vulnerability, we correctly remediated this one) and have merged patches for most of them.
Happily, the community has done some great work on remediating these and I'm very appreciative of them.
I'm most excited about the audit changes: this was the impetus needed to make them be configuration driven in the next release series. Leaving audit device (which, as a reminder, have a socket mode which can make arbitrary TCP calls!) open to API callers is rather unsafe, even with prefix being limited.
(Edit: And of course it goes without saying, but we're more than happy to accept contributions to the community -- code, docs, technical, or otherwise!)
Somebody has to say this so I guess I'll take the hit: part of the cost of an unsanctioned fork of a large project is that you're not going to be in the embargo list. Even with a large base of developers and users, the mechanics of a community-driven open source project can make people gun-shy about pre-disclosing.
Over the long term, increasing prominence of your project will probably get you most disclosures directly, because vulnerability researchers are incentivized to confirm big targets for findings. But in the short term, I don't think this complaint about HashiCorp is based in any real norm of vulnerability disclosure.
I'll bite ;-) Appreciate your replies as always tptacek!
It is a fair criticism. But I think two things give us an advantage here:
1. IBM started this fork and later bought HashiCorp, with the acquisition having fully completed. I've broached the subject with both sides post-acquisition but got only a negative response from the HashiCorp side and no response from IBM. We are very much a known entity to the teams that matter inside IBM. And I'd posit within HashiCorp as well given I came out of their Vault Crypto team. ;-)
Whether IBM wishes to cooperate is a different matter. Mentioning again, publicly, doesn't hurt and hopefully raises awareness to researchers (such as yourself!).
2. The Linux Foundation's OpenSSF (our umbrella foundation) has a reputation which we try our best to uphold. Obviously they'd be rightfully upset if we shared pre-disclosure vulnerabilities widely. So we won't and don't. Certainly the broader Linux distribution security list is a positive model in this regard.
If this were J. Doe's pet fork of $CRITICAL_SOFTWARE, 100% agree. But the fork is neither new nor lacking in reputation of its component/parent entities, so I'd hope researchers give us the same consideration they would any other of LF's forks (Valkey, OpenSearch, OpenTofu, ...).
But that said, I've personally disclosed vulnerabilities post-fork to HashiCorp and have mentioned to them that I have stopped future disclosures without a further agreement. This just leads to a two-party zero-day vulnerability race, which is not in anyone's best interest.
These are all points well taken. I'd just say, don't look for any kind of coherent fairness in vulnerability embargo lists. Certainly, if you're a fork that the upstream doesn't want to exist, I don't think there's any norm that you'll automatically be included. I'm irritated about a number of embargo lists myself, but if the vulnerability researchers wanted to include me, they could, regardless of what IBM thought.
As someone who is actively migrating from HCP Vault Dedicated to self-hosted OpenBao, thanks for this update. Any CVE issues worth tracking / linking here?
Since HashiCorp and OP did not opt to disclose to OpenBao, the most authoritative source right now is HashiCorp's security tracker, linked down-thread: https://news.ycombinator.com/item?id=44821779
https://discuss.hashicorp.com/tag/security-vault is the aggregate link, with HCSEC-2025-[13..22] being the relevant topics.
I will be working shortly to acquire additional CVE numbers for OpenBao for the 8 affected issues.
HCSEC-2025-18 / CVE-2025-6037 (core user confusion bug) does not affect OpenBao.
In general, our release notes detail fixed security issues: https://openbao.org/docs/release-notes/2-3-0/ per policy https://github.com/openbao/.github/blob/main/SECURITY.md. This also has contact information if anyone wishes to discuss additional new security issues.