Impact When using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. Patches OpenBao v2.3.2 will patch this issue. Workarounds Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/ References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034 https://nvd.nist.gov/vuln/detail/CVE-2025-6011 Barring further information, this is also assumed to cover and remediate the following additional vulnerability: https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095 https://nvd.nist.gov/vuln/detail/CVE-2025-6010 If this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be…Read More