The Janitor's Key: Turning OpenBao Audit Logs into RCE
Jan 1, 2026·6 min read·12 visits
Executive Summary (TL;DR)
A high-privilege RCE vulnerability (CVSS 9.1) allows operators to turn the audit logging system into an arbitrary file write primitive. By pointing a 'file' audit device at a sensitive path (like `/etc/cron.d`) and injecting a malicious 'prefix', attackers can execute code as the Vault/OpenBao service user. The fix involves disabling API-based audit configuration entirely.
OpenBao and HashiCorp Vault, the literal Fort Knoxes of the DevOps world, suffered a catastrophic logic flaw in their audit subsystems. By abusing the ability to configure audit devices via API, privileged attackers could trick the system into writing malicious code directly to the host filesystem.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenBao OpenBao | < 2.3.2 | 2.3.2 |
Vault Community Edition HashiCorp | < 1.20.1 | 1.20.1 |
Vault Enterprise HashiCorp | < 1.19.7 | 1.19.7 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94 |
| Attack Vector | Network (API) |
| CVSS Score | 9.1 (Critical) |
| Privileges Required | High (Audit Write) |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | Conceptual / Weaponizable |
MITRE ATT&CK Mapping
Improper Control of Generation of Code ('Code Injection')
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.