Real bugs, found, reproduced from scratch, and responsibly disclosed. Confirmed by the maintainers themselves. This is the work behind the audits, not marketing.
A read-only, issues-only API token, one that should have zero access to code, could pull a private repo's full commit history (messages, SHAs, committer emails) through the RSS and Atom feed endpoints, while the same token was correctly blocked everywhere else. An incomplete-coverage gap in a recent scope fix.
A scoped user with only the Create permission, the most restricted account you can hand out, could delete files anywhere on the server (other tenants' data) and even delete the app's own database, wiping every user, share, and setting and locking the owner out. An incomplete fix of a prior symlink CVE.
An operator could set an explicit deny on a sensitive path, yet if a broader list was allowed on a parent path, OpenBao still permitted the LIST, the stricter deny was not applied to list operations. A privilege boundary that policy authors would reasonably trust to hold. Found by watching a fixed HashiCorp Vault bug that still lived in the OpenBao fork.
A single low-privilege user could read all the private code in one of these, or destroy the whole server in the other. We find the gaps others miss, then tell you how to close them. That is what a Securva audit does for your systems.
Get your Securva Snapshot or email usDisclosure note: all testing was performed on our own self-hosted copies of this open-source software. We never test third-party systems without authorization. CVE identifiers are assigned by the maintainers after a fix ships; this page is updated as each advisory publishes.