Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. Patches OpenBao v2.3.2 will patch this issue. Workarounds Existing users may apply rate-limiting quotas on the authentication endpoints: https://openbao.org/api-docs/system/rate-limit-quotas/ References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035…Read More
GHSA-J3XV-7FXP-GFHX OpenBao Userpass and LDAP User Lockout Bypass
