From 512398206dbd0ba77097b37e45a02873c6138577 Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Wed, 22 Apr 2026 17:20:07 -0400 Subject: [PATCH] SECVULN-41101 fix missing return after respondError in sys_raft (#14198) (#14200) Co-authored-by: Violet Hynes --- http/sys_raft.go | 1 + vault/external_tests/raft/raft_test.go | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/http/sys_raft.go b/http/sys_raft.go index b2055d674c..2346b3182c 100644 --- a/http/sys_raft.go +++ b/http/sys_raft.go @@ -23,6 +23,7 @@ func handleSysRaftBootstrap(core *vault.Core) http.Handler { case "POST", "PUT": if core.Sealed() { respondError(w, http.StatusBadRequest, errors.New("node must be unsealed to bootstrap")) + return } if err := core.RaftBootstrap(context.Background(), false); err != nil { diff --git a/vault/external_tests/raft/raft_test.go b/vault/external_tests/raft/raft_test.go index 170cc02f8e..108f490af1 100644 --- a/vault/external_tests/raft/raft_test.go +++ b/vault/external_tests/raft/raft_test.go @@ -27,6 +27,7 @@ import ( "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/testhelpers" "github.com/hashicorp/vault/helper/testhelpers/corehelpers" + "github.com/hashicorp/vault/helper/testhelpers/minimal" "github.com/hashicorp/vault/helper/testhelpers/teststorage" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/internalshared/configutil" @@ -1626,3 +1627,14 @@ func TestRaft_SnapshotLargerMaxRequestSize(t *testing.T) { require.NoError(t, err) testhelpers.WaitForActiveNode(t, cluster) } + +// TestRaft_BootstrapWhenSealed ensures raft does not attempt to bootstrap when sealed. +func TestRaft_BootstrapWhenSealed(t *testing.T) { + t.Parallel() + cluster := minimal.NewTestSoloCluster(t, nil) + client := cluster.Cores[0].Client + cluster.EnsureCoresSealed(t) + + _, err := client.Logical().Write("sys/storage/raft/bootstrap", nil) + require.ErrorContains(t, err, "node must be unsealed to bootstrap") +}