CVE-2025-59048
HIGHDescription
OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles.
Is your site exposed to CVE-2025-59048?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| openbao | aws_plugin |
References
Frequently Asked Questions
What is CVE-2025-59048? +
How severe is CVE-2025-59048? +
What products are affected by CVE-2025-59048? +
How do I check if I'm vulnerable to CVE-2025-59048? +
Related Vulnerabilities
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an …
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using …
A Use of Multiple Resources with Duplicate Identifier vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on …
Use of Multiple Resources with Duplicate Identifier (CWE-694) in the Controller 6000 and Controller 7000 Platforms could allow an attacker …
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In …
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA …