Main Vulnerability Database SB2025102838

SB2025102838 - User impersonation in OpenBao AWS Plugin

Published: October 28, 2025

Security Bulletin ID SB2025102838

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper privilege management (CVE-ID: CVE-2025-59048)

The vulnerability allows a remote user to impersonate other users.

The vulnerability exists due to a flawed caching mechanism that fails to validate the AWS Account ID during authentication. An IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access.

Remediation

Install update from vendor's website.

References

https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae
https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7