OpenBao 2.3.x release notes
v2.3.2
Release date: August 7, 2025
warning
Due to security vulnerabilities, there are three breaking changes in this security release:
audit
subsystem will no longer allow creation of new devices via the API except by settingunsafe_allow_api_audit_creation
. In the v2.4.0 release, support for configuration-based audit device definition will be added.auth/ldap
has changed entity formats to normalize against whitespace and case-sensitivity when the unsafeusername_as_alias=true
parameter is set.- TOTP codes now must be exactly N numeric digits and cannot contain leading or trailing whitespace and will be rejected by the API if they do.
SECURITY
- audit: Add server configuration options to disable audit mount creation via the API and to disable audit log prefixing. HCSEC-2025-14 / CVE-2025-6000 / CVE-2025-54997. [GH-1634]
unsafe_allow_api_audit_creation (default: false)
controls the ability to create audit mounts via the APIallow_audit_log_prefixing (default: false)
controls the availability of the prefix audit mount option
- auth/mfa: correctly limit reuse of TOTP codes during login MFA enforcement. HCSEC-2025-19 / CVE-2025-6015 / CVE-2025-55003. [GH-1629]
- auth/userpass: Prevent timing-based leak in userpass auth method. HCSEC-2025-15 / CVE-2025-6011 / CVE-2025-54999. Assumed to also apply to HCSEC-2025-21 / CVE-2025-6010. [GH-1628]
- core/auth: Correctly handle alias lookahead for user lockout consistency. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998. auth/userpass: Consistently handle alias lookahead as case insensitive. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998. auth/ldap: Attempt consistent entity aliasing w.r.t. spacing and casing. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998 and HCSEC-2025-20 / CVE-2025-6013 / CVE-2025-55001. [GH-1632]
- core/identity: Correctly lowercase policy names to prevent root policy assignment. HCSEC-2025-13 / CVE-2025-5999 / CVE-2025-54996. [GH-1627]
- secrets/totp: Fix TOTP verification reuse bypass when the TOTP code contains spaces. HCSEC-2025-17 / CVE-2025-6014 / CVE-2025-55000. [GH-1625]
IMPROVEMENTS
- core: Update to Go 1.24.6. [GH-1637]
BUG FIXES
- Ignore missing mounts when deleting a namespace. This can happen when a mount is unmounted in parallel. [GH-1594]
- agent/template: add missing backoff mechanism for the templating server [GH-1448]
- core/namespaces: fixed race condition in namespace deletion operation during instance sealing [GH-1525]
- core/policies: fix bug with missing existing policies in namespaces during failover, startup [GH-1613]
- identity/oidc: Fix unintentional lowercasing of namespace accessor in assignments. [GH-1539]
v2.3.1
Release date: June 25, 2025
info
OpenBao v2.3.0 is unreleased due to a bug in Illumos builds. Illumos has been removed from v2.3.1 as a result, per policy.
SECURITY
- core/sys: Add listener parameter (
disable_unauthed_rekey_endpoints
, default:false
) to optionally disable unauthenticated rekey operations (tosys/rekey/*
andsys/rekey-recovery-key/*
) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656. - sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495]
CHANGES
- packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also https://github.com/golang/go/issues/46279. [GH-1179]
- storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
- packaging: Support for Illumos removed due to broken builds [GH-1503]
FEATURES
- KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
- Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406]
- Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
- Create, read, update, delete a hierarchical directory of namespaces
- Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
- Migrate (remount) secrets engines and auth methods between namespaces
- Lock and unlock namespaces
- Route requests to namespaces via path (
/my-namespace/secrets
) orX-Vault-Namespace
header (or both!) - CLI support via the
bao namespace
family of commands and the-namespace
flag. [GH-1165]
- Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427]
- Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794]
- auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of
logical.Auth
data. [GH-869] - ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]
IMPROVEMENTS
- When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
- approle: Use transactions for read + write operations [GH-992]
- auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
- core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432]
- core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
- core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
- core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
- core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
- database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
- database: Use transactions for read-then-write methods in the database package [GH-995]
- pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
- ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
- storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]
DEPRECATIONS
- Configuration of PKCS#11 auto-unseal using the duplicate and undocumented
module
,token
andkey
options is now deprecated. Use the documented alternative optionslib
,token_label
andkey_label
instead, respectively. (More details) [GH-1385]
BUG FIXES
- api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
- core/identity: load namespace entities, groups into MemDB preventing them from disappearing on restart. [GH-1432]
- oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
- pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
- sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (https://github.com/openbao/go-kms-wrapping/pull/32). This is unlikely to have caused many real-world issues so far. [GH-1349]
- secrets/kv: Fix panic on detailed metadata list when results include a directory. [GH-1388]
- storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
- storage/postgresql: skip table creation automatically on PostgreSQL replicas [GH-1478]
- vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
- vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]
v2.3.0-beta20250528
Release date: May 28, 2025
SECURITY
- sdk/framework: prevent information disclosure on invalid request. HCSEC-2025-09 / CVE-2025-4166. [GH-1323]
CHANGES
- openbao: update modules and checksums to address vulnerabilities [GH-1126]
- packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also https://github.com/golang/go/issues/46279. [GH-1179]
- storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
FEATURES
- KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
- Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
- Create, read, update, delete a hierarchical directory of namespaces
- Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
- Migrate (remount) secrets engines and auth methods between namespaces
- Lock and unlock namespaces
- Route requests to namespaces via path (
/my-namespace/secrets
) orX-Vault-Namespace
header (or both!) - CLI support via the
bao namespace
family of commands and the-namespace
flag. [GH-1165]
- ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]
IMPROVEMENTS
- When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
- approle: Use transactions for read + write operations [GH-992]
- auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
- core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
- core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
- core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
- core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
- database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
- database: Use transactions for read-then-write methods in the database package [GH-995]
- pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
- ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
- storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]
BUG FIXES
- api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
- cli: Return a quoted string URL when -output-curl-string flag is passed in [GH-1038]
- oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
- pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
- sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (https://github.com/openbao/go-kms-wrapping/pull/32). This is unlikely to have caused many real-world issues so far. [GH-1349]
- secrets/pki: Remove null value for subproblems encoding, fixing compatibility with certain ACME clients like certbot. [GH-1236]
- storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
- ui: Fix description of Organizational Unit (OU) field in PKI. [GH-1333]
- vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
- vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]