Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization via the usernameasalias parameter in the LDAP authentication process. An attacker can gain unauthorized access to resources protected by multi-factor authentication by supplying a crafted username that bypasses...

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization via the usernameasalias parameter in the LDAP authentication process. An attacker can gain unauthorized access to resources protected by multi-factor authentication by supplying a crafted username that bypasses...

CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...

CVE-2025-55001

OpenBao OpenBao LDAP MFA enforcement bypass (CVE-2025-55001) affects version 2.3.1 and earlier. When username_as_alias=true is used with LDAP auth, the caller-supplied username is used verbatim, bypassing alias-specific MFA requirements and potentially exposing confidential data and keys. The iss...

CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...

CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...

CVE-2025-54998

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by...

CVE-2025-54998 OpenBao Userpass and LDAP User Lockout Bypass

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by...

GHSA-2Q8Q-8FGW-9P6P OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the usernameasalias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to...

OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias

Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the usernameasalias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to...

GHSA-J3XV-7FXP-GFHX OpenBao Userpass and LDAP User Lockout Bypass

Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. Patches OpenBao v2.3.2 will patch this issue. Workarounds Existing user...

OpenBao Userpass and LDAP User Lockout Bypass

Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. Patches OpenBao v2.3.2 will patch this issue. Workarounds Existing user...

PT-2025-32383 · Openbao · Openbao

Name of the Vulnerable Software and Affected Versions: OpenBao versions 2.3.1 and below Description: OpenBao allows the assignment of policies and MFA attribution based on entity aliases. When the username as alias=true parameter in the LDAP auth method is used, the supplied username is used...

Linux Distros Unpatched Vulnerability : CVE-2025-38286

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - pinctrl: at91: Fix possible out-of-boundary access at91gpioprobe doesn't check that given OF alias is not available or something went wrong when trying to get i...

SUSE CVE-2025-6013

Vault and Vault Enterprise's "Vault" ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

Improper Neutralization

Overview github.com/hashicorp/vault/builtin/credential/ldap is a package ldap for Hashicorp. Affected versions of this package are vulnerable to Improper Neutralization in the ldap authentication method when usernameasalias is enabled and a user has multiple CNs that are equal except for leading ...

CVE-2025-6013

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...