openbao

SECURITY

• core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. [GH-3076]
• core: Prevent hidden default token issuance from auth plugin endpoints returning both a logical.Auth{} response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. [GH-3150]
• core: Remove legacy lease endpoints (sys/revoke, sys/renew, sys/revoke-prefix, and sys/revoke-force) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. [GH-3152]

IMPROVEMENTS

• storage/postgresql: Set constraint name to table+"_pkey" and ha_table+"_pkey" and index to table+"_idx" for uniqueness when reusing the same database partition for multiple OpenBao instances. [GH-2876]

BUG FIXES

• auth/kerberos: Do not return logical.Auth{} response during initial negotiation at the same time as an error. [GH-3150]
• core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. [GH-3083]
• core/policies: Fix list_scan_response_keys_filter_path incorrectly erring on empty list responses. [GH-3063]
• core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. [GH-2953]
• core: Disallow logical secret engines from creating authentication tokens. [GH-3087]
• core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. [GH-3006]
• storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. [GH-3054]
• storage/postgresql: Revert accidental rename of ha_table option to haTable. Both spellings are now supported to retain compatibility, though ha_table takes precedence. [GH-2876]

What's Changed

• Remove 2.5.x community docs by @cipherboy in https://github.com/openbao/openbao/pull/3071
• Disallow non-auth plugins from creating tokens (#3087 by @cipherboy) backported by @phil9909 in https://github.com/openbao/openbao/pull/3112
• Handle invalidation of LoginMFA keys (#3083 by @cipherboy) backported by @phil9909 in https://github.com/openbao/openbao/pull/3113
• Fix audit logs dropping custom headers when using inline auth (#3076 by @jackyliao123) backported by @phil9909 in https://github.com/openbao/openbao/pull/3114
• fix: nil-guard d.autopilot before calling GetState (#3054 by @mpldr) backported by @phil9909 in https://github.com/openbao/openbao/pull/3115
• fix: Fix request handling filtering for the no data case (#3063 by @eklatzer) backported by @phil9909 in https://github.com/openbao/openbao/pull/3116
• Update vulnerable deps before 2.5.4 by @cipherboy in https://github.com/openbao/openbao/pull/3121
• Fix cache invalidation memory leak (#3105 by @cipherboy) backported by @phil9909 in https://github.com/openbao/openbao/pull/3131
• Use unique constraints, indices in PostgreSQL storage (#2876 by @cipherboy) backported by @phil9909 in https://github.com/openbao/openbao/pull/3132
• Correctly handle default_rate_limit_exempt_paths_toggle invalidation (#2953 by @cipherboy) backported by @phil9909 in https://github.com/openbao/openbao/pull/3134
• Fix /v1/sys/ forwarding regressions for standby instances (#3006 by @tsaarni) backported by @phil9909 in https://github.com/openbao/openbao/pull/3133
• Remove legacy cross-namespace lease endpoints (#3152 by @cipherboy) backported by @cipherboy in https://github.com/openbao/openbao/pull/3153
• Prevent errors from creating orphaned tokens (#3150 by @cipherboy) backported by @cipherboy in https://github.com/openbao/openbao/pull/3151
• Add release notes for v2.5.4 by @satoqz in https://github.com/openbao/openbao/pull/3154

Full Changelog: https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4