Skip to main content

OpenBao 2.3.x release notes

v2.3.2

Release date: August 7, 2025

warning

Due to security vulnerabilities, there are three breaking changes in this security release:

  • audit subsystem will no longer allow creation of new devices via the API except by setting unsafe_allow_api_audit_creation. In the v2.4.0 release, support for configuration-based audit device definition will be added.
  • auth/ldap has changed entity formats to normalize against whitespace and case-sensitivity when the unsafe username_as_alias=true parameter is set.
  • TOTP codes now must be exactly N numeric digits and cannot contain leading or trailing whitespace and will be rejected by the API if they do.

SECURITY

  • audit: Add server configuration options to disable audit mount creation via the API and to disable audit log prefixing. HCSEC-2025-14 / CVE-2025-6000 / CVE-2025-54997. [GH-1634]
    • unsafe_allow_api_audit_creation (default: false) controls the ability to create audit mounts via the API
    • allow_audit_log_prefixing (default: false) controls the availability of the prefix audit mount option
  • auth/mfa: correctly limit reuse of TOTP codes during login MFA enforcement. HCSEC-2025-19 / CVE-2025-6015 / CVE-2025-55003. [GH-1629]
  • auth/userpass: Prevent timing-based leak in userpass auth method. HCSEC-2025-15 / CVE-2025-6011 / CVE-2025-54999. Assumed to also apply to HCSEC-2025-21 / CVE-2025-6010. [GH-1628]
  • core/auth: Correctly handle alias lookahead for user lockout consistency. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998. auth/userpass: Consistently handle alias lookahead as case insensitive. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998. auth/ldap: Attempt consistent entity aliasing w.r.t. spacing and casing. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998 and HCSEC-2025-20 / CVE-2025-6013 / CVE-2025-55001. [GH-1632]
  • core/identity: Correctly lowercase policy names to prevent root policy assignment. HCSEC-2025-13 / CVE-2025-5999 / CVE-2025-54996. [GH-1627]
  • secrets/totp: Fix TOTP verification reuse bypass when the TOTP code contains spaces. HCSEC-2025-17 / CVE-2025-6014 / CVE-2025-55000. [GH-1625]

IMPROVEMENTS

  • core: Update to Go 1.24.6. [GH-1637]

BUG FIXES

  • Ignore missing mounts when deleting a namespace. This can happen when a mount is unmounted in parallel. [GH-1594]
  • agent/template: add missing backoff mechanism for the templating server [GH-1448]
  • core/namespaces: fixed race condition in namespace deletion operation during instance sealing [GH-1525]
  • core/policies: fix bug with missing existing policies in namespaces during failover, startup [GH-1613]
  • identity/oidc: Fix unintentional lowercasing of namespace accessor in assignments. [GH-1539]

v2.3.1

Release date: June 25, 2025

info

OpenBao v2.3.0 is unreleased due to a bug in Illumos builds. Illumos has been removed from v2.3.1 as a result, per policy.

SECURITY

  • core/sys: Add listener parameter (disable_unauthed_rekey_endpoints, default: false) to optionally disable unauthenticated rekey operations (to sys/rekey/* and sys/rekey-recovery-key/*) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656.
  • sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495]

CHANGES

  • packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also https://github.com/golang/go/issues/46279. [GH-1179]
  • storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
  • packaging: Support for Illumos removed due to broken builds [GH-1503]

FEATURES

  • KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
  • Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406]
  • Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
    • Create, read, update, delete a hierarchical directory of namespaces
    • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
    • Migrate (remount) secrets engines and auth methods between namespaces
    • Lock and unlock namespaces
    • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
    • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
  • Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427]
  • Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794]
  • auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of logical.Auth data. [GH-869]
  • ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS

  • When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
  • approle: Use transactions for read + write operations [GH-992]
  • auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
  • core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432]
  • core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
  • core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
  • core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
  • core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
  • database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
  • database: Use transactions for read-then-write methods in the database package [GH-995]
  • pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
  • ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
  • storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

DEPRECATIONS

  • Configuration of PKCS#11 auto-unseal using the duplicate and undocumented module, token and key options is now deprecated. Use the documented alternative options lib, token_label and key_label instead, respectively. (More details) [GH-1385]

BUG FIXES

  • api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
  • core/identity: load namespace entities, groups into MemDB preventing them from disappearing on restart. [GH-1432]
  • oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
  • pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
  • sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (https://github.com/openbao/go-kms-wrapping/pull/32). This is unlikely to have caused many real-world issues so far. [GH-1349]
  • secrets/kv: Fix panic on detailed metadata list when results include a directory. [GH-1388]
  • storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
  • storage/postgresql: skip table creation automatically on PostgreSQL replicas [GH-1478]
  • vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
  • vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]

v2.3.0-beta20250528

Release date: May 28, 2025

SECURITY

  • sdk/framework: prevent information disclosure on invalid request. HCSEC-2025-09 / CVE-2025-4166. [GH-1323]

CHANGES

  • openbao: update modules and checksums to address vulnerabilities [GH-1126]
  • packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also https://github.com/golang/go/issues/46279. [GH-1179]
  • storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]

FEATURES

  • KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
  • Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
    • Create, read, update, delete a hierarchical directory of namespaces
    • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
    • Migrate (remount) secrets engines and auth methods between namespaces
    • Lock and unlock namespaces
    • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
    • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
  • ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS

  • When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
  • approle: Use transactions for read + write operations [GH-992]
  • auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
  • core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
  • core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
  • core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
  • core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
  • database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
  • database: Use transactions for read-then-write methods in the database package [GH-995]
  • pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
  • ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
  • storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

BUG FIXES

  • api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
  • cli: Return a quoted string URL when -output-curl-string flag is passed in [GH-1038]
  • oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
  • pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
  • sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (https://github.com/openbao/go-kms-wrapping/pull/32). This is unlikely to have caused many real-world issues so far. [GH-1349]
  • secrets/pki: Remove null value for subproblems encoding, fixing compatibility with certain ACME clients like certbot. [GH-1236]
  • storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
  • ui: Fix description of Organizational Unit (OU) field in PKI. [GH-1333]
  • vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
  • vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]