Vulnerability-Lookup

WID-SEC-W-2026-1164

Vulnerability from csaf_certbund - Published: 2026-04-16 22:00 - Updated: 2026-04-16 22:00

Summary

Hashicorp Vault Community Edition und Enterprise: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Vault ist ein identitätsbasiertes System zur Verwaltung von Geheimnissen und Verschlüsselung.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Hashicorp Vault ausnutzen, um Daten zu manipulieren, einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen, was möglicherweise eine Privilegienerweiterung ermöglicht.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-3605

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Hashicorp Vault Enterprise <2.0.0 Hashicorp / Vault		Enterprise <2.0.0
Hashicorp Vault Community Edition <2.0.0 Hashicorp / Vault		Community Edition <2.0.0
Hashicorp Vault Enterprise <1.20.10 Hashicorp / Vault		Enterprise <1.20.10
Hashicorp Vault Enterprise <1.19.16 Hashicorp / Vault		Enterprise <1.19.16
Hashicorp Vault Enterprise <1.21.5 Hashicorp / Vault		Enterprise <1.21.5

CVE-2026-4525

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Hashicorp Vault Enterprise <2.0.0 Hashicorp / Vault		Enterprise <2.0.0
Hashicorp Vault Community Edition <2.0.0 Hashicorp / Vault		Community Edition <2.0.0
Hashicorp Vault Enterprise <1.20.10 Hashicorp / Vault		Enterprise <1.20.10
Hashicorp Vault Enterprise <1.19.16 Hashicorp / Vault		Enterprise <1.19.16
Hashicorp Vault Enterprise <1.21.5 Hashicorp / Vault		Enterprise <1.21.5

CVE-2026-5052

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Hashicorp Vault Enterprise <2.0.0 Hashicorp / Vault		Enterprise <2.0.0
Hashicorp Vault Community Edition <2.0.0 Hashicorp / Vault		Community Edition <2.0.0
Hashicorp Vault Enterprise <1.20.10 Hashicorp / Vault		Enterprise <1.20.10
Hashicorp Vault Enterprise <1.19.16 Hashicorp / Vault		Enterprise <1.19.16
Hashicorp Vault Enterprise <1.21.5 Hashicorp / Vault		Enterprise <1.21.5

CVE-2026-5807

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Hashicorp Vault Enterprise <2.0.0 Hashicorp / Vault		Enterprise <2.0.0
Hashicorp Vault Community Edition <2.0.0 Hashicorp / Vault		Community Edition <2.0.0
Hashicorp Vault Enterprise <1.20.10 Hashicorp / Vault		Enterprise <1.20.10
Hashicorp Vault Enterprise <1.19.16 Hashicorp / Vault		Enterprise <1.19.16
Hashicorp Vault Enterprise <1.21.5 Hashicorp / Vault		Enterprise <1.21.5

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://discuss.hashicorp.com/t/hcsec-2026-05-vau…	external
https://discuss.hashicorp.com/t/hcsec-2026-06-vau…	external
https://discuss.hashicorp.com/t/hcsec-2026-07-vau…	external
https://discuss.hashicorp.com/t/hcsec-2026-08-vau…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Vault ist ein identit\u00e4tsbasiertes System zur Verwaltung von Geheimnissen und Verschl\u00fcsselung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Hashicorp Vault ausnutzen, um Daten zu manipulieren, einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen, was m\u00f6glicherweise eine Privilegienerweiterung erm\u00f6glicht.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1164 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1164.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1164 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1164"
      },
      {
        "category": "external",
        "summary": "Hashicorp Security Advisory vom 2026-04-16",
        "url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"
      },
      {
        "category": "external",
        "summary": "Hashicorp Security Advisory vom 2026-04-16",
        "url": "https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343"
      },
      {
        "category": "external",
        "summary": "Hashicorp Security Advisory vom 2026-04-16",
        "url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"
      },
      {
        "category": "external",
        "summary": "Hashicorp Security Advisory vom 2026-04-16",
        "url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"
      }
    ],
    "source_lang": "en-US",
    "title": "Hashicorp Vault Community Edition und Enterprise: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-04-16T22:00:00.000+00:00",
      "generator": {
        "date": "2026-04-17T09:44:17.338+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1164",
      "initial_release_date": "2026-04-16T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-16T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Community Edition \u003c2.0.0",
                "product": {
                  "name": "Hashicorp Vault Community Edition \u003c2.0.0",
                  "product_id": "T052945"
                }
              },
              {
                "category": "product_version",
                "name": "Community Edition 2.0.0",
                "product": {
                  "name": "Hashicorp Vault Community Edition 2.0.0",
                  "product_id": "T052945-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:community_edition__2.0.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c2.0.0",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c2.0.0",
                  "product_id": "T052949"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 2.0.0",
                "product": {
                  "name": "Hashicorp Vault Enterprise 2.0.0",
                  "product_id": "T052949-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__2.0.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.21.5",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.21.5",
                  "product_id": "T052950"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.21.5",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.21.5",
                  "product_id": "T052950-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.21.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.20.10",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.20.10",
                  "product_id": "T052951"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.20.10",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.20.10",
                  "product_id": "T052951-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.20.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.19.16",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.19.16",
                  "product_id": "T052952"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.19.16",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.19.16",
                  "product_id": "T052952-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.19.16"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Vault"
          }
        ],
        "category": "vendor",
        "name": "Hashicorp"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-3605",
      "product_status": {
        "known_affected": [
          "T052949",
          "T052945",
          "T052951",
          "T052952",
          "T052950"
        ]
      },
      "release_date": "2026-04-16T22:00:00.000+00:00",
      "title": "CVE-2026-3605"
    },
    {
      "cve": "CVE-2026-4525",
      "product_status": {
        "known_affected": [
          "T052949",
          "T052945",
          "T052951",
          "T052952",
          "T052950"
        ]
      },
      "release_date": "2026-04-16T22:00:00.000+00:00",
      "title": "CVE-2026-4525"
    },
    {
      "cve": "CVE-2026-5052",
      "product_status": {
        "known_affected": [
          "T052949",
          "T052945",
          "T052951",
          "T052952",
          "T052950"
        ]
      },
      "release_date": "2026-04-16T22:00:00.000+00:00",
      "title": "CVE-2026-5052"
    },
    {
      "cve": "CVE-2026-5807",
      "product_status": {
        "known_affected": [
          "T052949",
          "T052945",
          "T052951",
          "T052952",
          "T052950"
        ]
      },
      "release_date": "2026-04-16T22:00:00.000+00:00",
      "title": "CVE-2026-5807"
    }
  ]
}

CVE-2026-3605 (GCVE-0-2026-3605)

Vulnerability from cvelistv5 – Published: 2026-04-17 02:44 – Updated: 2026-04-17 17:57

Title

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

Summary

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

HashiCorp

References

1 reference

URL	Tags
https://discuss.hashicorp.com/t/hcsec-2026-05-vau…

Impacted products

2 products

Vendor	Product	Version
HashiCorp	Vault	Affected: 0.10.0 , < 2.0.0 (semver)
HashiCorp	Vault Enterprise	Affected: 0.10.0 , < 2.0.0 (semver)

Credits

This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3605",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T13:20:23.015074Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T13:20:28.557Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "0.10.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.19.16",
                  "status": "unaffected"
                },
                {
                  "at": "1.20.10",
                  "status": "unaffected"
                },
                {
                  "at": "1.21.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "0.10.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126: Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T17:57:55.431Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"
        }
      ],
      "source": {
        "advisory": "HCSEC-2026-05",
        "discovery": "EXTERNAL"
      },
      "title": "Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2026-3605",
    "datePublished": "2026-04-17T02:44:42.032Z",
    "dateReserved": "2026-03-05T16:37:23.520Z",
    "dateUpdated": "2026-04-17T17:57:55.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4525 (GCVE-0-2026-4525)

Vulnerability from cvelistv5 – Published: 2026-04-17 03:00 – Updated: 2026-04-17 17:22

Title

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

Summary

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

HashiCorp

References

1 reference

URL	Tags
https://discuss.hashicorp.com/t/hcsec-2026-07-vau…

Impacted products

2 products

Vendor	Product	Version
HashiCorp	Vault	Affected: 0.11.2 , < 2.0.0 (semver)
HashiCorp	Vault Enterprise	Affected: 0.11.2 , < 2.0.0 (semver)

Credits

This issue was identified and reported by Oleh Konko of 1seal.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4525",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T13:19:26.452614Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T13:19:32.463Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "0.11.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.19.16",
                  "status": "unaffected"
                },
                {
                  "at": "1.20.10",
                  "status": "unaffected"
                },
                {
                  "at": "1.21.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "0.11.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was identified and reported by Oleh Konko of 1seal."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-118",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-118: Collect and Analyze Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T17:22:41.255Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"
        }
      ],
      "source": {
        "advisory": "HCSEC-2026-08",
        "discovery": "EXTERNAL"
      },
      "title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2026-4525",
    "datePublished": "2026-04-17T03:00:47.561Z",
    "dateReserved": "2026-03-20T17:47:40.835Z",
    "dateUpdated": "2026-04-17T17:22:41.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5052 (GCVE-0-2026-5052)

Vulnerability from cvelistv5 – Published: 2026-04-17 02:55 – Updated: 2026-04-17 17:57

Title

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

Summary

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

HashiCorp

References

1 reference

URL	Tags
https://discuss.hashicorp.com/t/hcsec-2026-06-vau…

Impacted products

2 products

Vendor	Product	Version
HashiCorp	Vault	Affected: 1.15.0 , < 2.0.0 (semver)
HashiCorp	Vault Enterprise	Affected: 1.15.0 , < 2.0.0 (semver)

Credits

This issue was independently identified and reported by Oleh Konko of 1seal, as well as Vipin Chaudhary.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5052",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T13:19:57.168697Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T13:20:07.590Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "1.15.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.19.16",
                  "status": "unaffected"
                },
                {
                  "at": "1.20.10",
                  "status": "unaffected"
                },
                {
                  "at": "1.21.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "1.15.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was independently identified and reported by Oleh Konko of 1seal, as well as Vipin Chaudhary."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-118",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-118: Collect and Analyze Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T17:57:55.377Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343"
        }
      ],
      "source": {
        "advisory": "HCSEC-2026-06",
        "discovery": "EXTERNAL"
      },
      "title": "Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2026-5052",
    "datePublished": "2026-04-17T02:55:25.080Z",
    "dateReserved": "2026-03-27T17:50:20.727Z",
    "dateUpdated": "2026-04-17T17:57:55.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5807 (GCVE-0-2026-5807)

Vulnerability from cvelistv5 – Published: 2026-04-17 03:22 – Updated: 2026-04-17 17:57

Title

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Summary

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

HashiCorp

References

1 reference

URL	Tags
https://discuss.hashicorp.com/t/hcsec-2026-08-vau…

Impacted products

2 products

Vendor	Product	Version
HashiCorp	Vault	Affected: 0 , < 2.0.0 (semver)
HashiCorp	Vault Enterprise	Affected: 0 , < 2.0.0. (semver)

Credits

This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5807",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T13:18:46.561122Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T13:19:07.594Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "2.0.0.",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-125",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-125: Flooding"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T17:57:55.504Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"
        }
      ],
      "source": {
        "advisory": "HCSEC-2026-08",
        "discovery": "EXTERNAL"
      },
      "title": "Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2026-5807",
    "datePublished": "2026-04-17T03:22:13.816Z",
    "dateReserved": "2026-04-08T14:43:57.845Z",
    "dateUpdated": "2026-04-17T17:57:55.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1164

CVE-2026-3605 (GCVE-0-2026-3605)

CVE-2026-4525 (GCVE-0-2026-4525)

CVE-2026-5052 (GCVE-0-2026-5052)

CVE-2026-5807 (GCVE-0-2026-5807)

Tags

Sightings

Nomenclature