Skip to main content

OpenBao 2.4.x release notes

v2.4.3

Release date: October 22, 2025

info

OpenBao v2.4.2 is unreleased due to release pipelines running out of space, requiring a new tag to be pushed. The release notes are otherwise equivalent and either tag will fix the relevant issues below.

SECURITY

  • audit: redact HTTPRawBody response parameter in audit logs; CVE-2025-62513 / GHSA-ghfh-fmx4-26h8. [GH-2002]
  • audit: redact []byte type response parameters in audit logs; CVE-2025-62705 / GHSA-rc54-2g2c-g36g. [GH-2002]

IMPROVEMENTS

  • core/namespaces: Setting the X-Vault-Namespace Header (or the BAO_NAMESPACE environment variable when using the cli) to "root" now maps to the root namespace. [GH-1918]

BUG FIXES

  • core/identity: Entities timestamps are now correctly formatted in RFC3339Nano, as previously done so. [GH-1873]
  • core/namespaces: Fix mount creation failing if mount name is equal to the name of the containing namespace [GH-1958]
  • core/namespaces: ensure interrupted namespace creation fails gracefully; prevents identity store panic and partial memory-only namespaces [GH-1990]
  • core/namespaces: only report namespaces which the provided token has access to from sys/internal/ui/namespaces [GH-1982]
  • raft: fix memory leak on standby nodes [GH-1889]
  • sdk/framework: Reduce memory usage of repeated mounts through singleton pattern regex cache [GH-1893]
  • secrets/kv: KV entries timestamps are now correctly formatted in RFC3339Nano, as previously done so. [GH-1872]

v2.4.1

Release date: September 11, 2025

SECURITY

  • http: Limit the complexity of JSON in HTTP request bodies through max_request_json_memory and max_request_json_strings. HCSEC-2025-24 / CVE-2025-6203 / CVE-2025-59043. [GH-1756]

BUG FIXES

  • auth/jwt: Add missing OIDC flow in JWK validator construction [GH-1779]
  • auth/jwt: Support token renewal with CEL roles. [GH-1776]
  • auth/mfa: Allow single-flow MFA to work with inline authentication. [GH-1753]
  • auth/mfa: Correctly persist tokens created through two-step MFA login enforcement. [GH-1753]
  • command: fix operator init not allowing for 0 as recovery_shares value. [GH-1754]
  • command: fix operator rotate-keys not returning recovery keys when server is initialized with 0 recovery_shares. [GH-1754]

v2.4.0

Release date: August 28, 2025

SECURITY

  • audit/file: Restrict mode parameter
    • Refuse setting an irregular file mode
    • Silently strip any executable bits [GH-1651]

CHANGES

  • certutil.ParsePublicKeyPEM of the package github.com/openbao/openbao/sdk/v2/helper/certutil will now return a crypto.PublicKey instead of any. You might need to remove type assertions from your code. [GH-1611]
  • database: Drop obsolete upgrade check in roleAtPath() function introduced in v0.10 of Vault. [GH-1675]
  • sdk/framework: Remove LegacyStringToSliceHookFunc, use mapstructure.StringToWeakSliceHookFunc instead. [GH-1626]
  • sdk/helper: Removed sdk/helper/base62, sdk/helper/mlock, sdk/helper/parseutil, sdk/helper/password, sdk/helper/strutil, and sdk/helper/tlsutil packages.
    • Please use github.com/openbao/go-secure-stdlib/xxx or github.com/hashicorp/go-secure-stdlib/xxx instead.
  • sdk/database/helper/connutil: Removed Initialize from ConnectionProducer interface, and SQLConnectionProducer struct. [GH-1676]
  • sdk/logical: Introduce context to logical.HandleListPage(...). [GH-1696]
  • sdk: Bump Go version to 1.24.0 [GH-1690]
  • vault/seal: removal of deprecated migration path of an old pre-Vault v1.0 (encrypted) recovery config location [GH-1424]

FEATURES

  • Allow filtering LIST, SCAN responses via the list_scan_response_keys_filter_path parameter to restrict information to only readable or listable values. [GH-1389]
  • Configuration-Based Audit Devices: Create and remove audit devices through server configuration updates. Changes are applied on restart and SIGHUP with issues appearing in the logs. [GH-1700]
  • Declarative Self-Initialization: allow server operators to define initial service state through request-driven initialization that occurs automatically on first server start. Operators can reference environment variables and files to provision initial authentication, audit, and secret mounts in addition to having full control over general requests to OpenBao It is suggested to put the minimal necessary configuration in this and use a proper IaC platform like OpenTofu to perform further configuration of the instance. [GH-1506]
  • Delay recovery key generation for auto-unseal mechanisms and make rotation authenticated: Add authenticated root and recovery key rotation endpoints, allow delayed recovery key generation (setting initial shares to 0). Solve the issue with the unauthenticated recovery key rotation APIs. [GH-1518]
  • Inline, Write-less Authentication: support passing authentication information inline with the desired main operation to avoid the need for separate authentication calls, storing and maintaining tokens. This authentication form will not work with operations that create leases. In this form of authentication, no storage writes occur as a result of authentication allowing its use on future read-enabled standby nodes. [GH-1433]
  • Add static key unseal mechanism to allow auto-unseal in environments with explicit trust chaining. [GH-1425]

IMPROVEMENTS

  • api/auth/jwt: initial implementation of JWT Auth Method [GH-1526]
  • auth/oidc: Add new show_qr=true cli option to display a QR code of the login URL. [GH-1561]
  • auto-unsealing: Improved the clarity of the warning message logged when the server is uninitialized and auto-unsealing is configured. [GH-1411]
  • builtin/credential/jwt: Support TLS authentication against explicit alt name/subject. [GH-1533]
  • cel: Add cel-go ext helpers for string, list, optional, regex, math, set, and encoder operations [GH-1697]
  • cel: Unify CEL helper functions between JWT and PKI modules, making email validation and other utilities available across both authentication and certificate management [GH-1697]
  • cli: add new subcommand "bao operator validate-config" to validate a configuration file syntax [GH-1609]
  • core: sys/seal-status: endpoint now always returns the barrier seal type, explicitly adds recovery seal type [GH-1638]
  • deps: Update go-jose v3 to go-jose v4 [GH-1477]
  • secrets/kv: Add CAS (Compare-And-Swap) support for metadata operations in KV v2 secrets engine. Metadata updates now support versioning via metadata_cas parameter and metadata_cas_required configuration option to prevent concurrent modification conflicts. [GH-1372]
  • ui: change the message 'Vault is sealed to 'OpenBao is Sealed' by changing the title of the unseal template [GH-1652]
  • seal/pkcs11: Support and default to software encryption for RSA key types. [GH-1742]

DEPRECATIONS

  • storage/postgresql: remove support for legacy PostgreSQL versions before 9.5 which require a special upsert function. [GH-1570]

BUG FIXES

  • api: Fix compatibility with sys/health from Vault Enterprise [GH-1730]
  • command: fixes typo in Windows command for setting BAO_ADDR in development mode [GH-1527]
  • core/namespaces: Prevent infinite loop in namespace loading due to incorrect list pagination when more than 100 sibling namespaces exist under a given parent [GH-1696]
  • identity: fix nil panic when collecting metrics with unsafe_cross_namespace_identity=true. [GH-1715]
  • pki: Truncate should error on expired certificates [GH-1369]
  • releases: add missing container image manifests for *-hsm variants [GH-1597]
  • sdk: Various constants in the sdk package mistakenly had no explicit type. They now now typed correctly. [GH-1523]
  • secrets/pki: Prevent infinite loop in tidy stemming from incorrect list pagination [GH-1696]
  • storage/postgresql: more graceful handling of parallel table creation [GH-1506]