openbao/openbao v2.5.2

on GitHub

SECURITY

• auth/jwt: Prevent XSS via error_description parameter in callback_mode=direct auth methods. CVE-2026-33758. [GH-2709]
• auth/jwt: Prompt for confirmation during direct callback mode to authorize OpenBao token issuance. CVE-2026-33757. [GH-2710]

BUG FIXES

• command: External token helpers now inherit environment variables from the parent process. [GH-2570]
• core/metrics: Fix count of leases/tokens/kv-secrets/entities metric not being emitted. [GH-2672]
• core/mounts, core/namespaces: Fix lock ordering in mount deletion racing against namespace updates, causing deadlocks. [GH-2625]
• core/seal: Fix /sys/rotate/root call rotating both root key and unseal key when using a Shamir Seal, losing all key shares. [GH-2619]
• core: Skip re-scheduling lease expiration jobs that need to write to storage when a node unseals in read-only mode. [GH-2549]
• core: Fix potential deadlock in JobManager, which can cause mount deletion timeouts. [GH-2630]
• http: Forward help requests to active node when unable to handle them on standby with read requests handling disabled. [GH-2572]
• identity/oidc: Fix OIDC named key rotation silently skipping in non-root namespaces due to double namespace prefix in storage path lookup. [GH-2669]
• raft: Propagate peer join/remove/promote/demote and autopilot read/update requests to active node. [GH-2574]

What's Changed

• Bump github.com/bgentry/speakeasy to v0.2.0 (#2535 by @agrimault-dinum) backported by @agrimault-dinum in #2545
• Fix expired test certificates (#2552 by @satoqz) backported by @phil9909 in #2631
• Skip lease restoration on standby nodes (#2549 by @wslabosz-reply) backported by @phil9909 in #2632
• Pass full environment to token helper (#2570 by @satoqz) backported by @phil9909 in #2633
• Handle help requests on standby nodes when reads are disabled (#2572 by @wslabosz-reply) backported by @phil9909 in #2634
• Don't iterate namespaces on mount deletion (#2625 by @satoqz) backported by @phil9909 in #2635
• fix race condition in jobmanager (#2630 by @phil9909) backported by @phil9909 in #2636
• Bump github.com/cloudflare/circl to v1.6.3 (#2577 by @satoqz) backported by @satoqz in #2652
• Fix root key rotation endpoint rotating Shamir's KEK (#2619 by @wslabosz-reply) backported by @satoqz in #2650
• Bump to Go 1.25.8 (#2609 by @satoqz) backported by @satoqz in #2651
• Forward raft autopilot operations (#2574 by @wslabosz-reply) backported by @satoqz in #2659
• Fix regression in OIDC named key rotation (#2669 by @JAYKRISHNAN) backported by @phil9909 in #2694
• Fix missing emitMetricsActiveNode metrics (#2672 by @wslabosz-reply) backported by @satoqz in #2697
• Resolve GHSA-cpj3-3r2f-xj59 (#2709 by @gianklug) by @cipherboy in #2711
• Resolve GHSA-7q7g-x6vg-xpc3 (#2710 by @gianklug) by @cipherboy in #2713
• Add changelog for v2.5.2 by @cipherboy in #2715

Full Changelog: v2.5.1...v2.5.2