Skip to main content

Vault CVE-2026-3605

| EUVDEUVD-2026-23346 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-17 HashiCorp GHSA-m2w4-8ggf-rj47
8.1
CVSS 3.1 · Vendor: HashiCorp
Share

Severity by source

Vendor (HashiCorp) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (HashiCorp).

CVSS VectorVendor: HashiCorp

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 25, 2026 - 18:08 nvd
Patch available
Analysis Updated
Apr 17, 2026 - 04:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 04:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 04:01 EUVD
Analysis Generated
Apr 17, 2026 - 03:34 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 03:30 euvd
EUVD-2026-23346
Analysis Generated
Apr 17, 2026 - 03:30 vuln.today
CVE Published
Apr 17, 2026 - 02:44 nvd
HIGH 8.1

DescriptionCVE.org

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

AnalysisAI

HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside their authorization scope, causing denial-of-service across versions 0.10.0 through 1.x. The flaw stems from improper access control (CWE-288) in policy glob evaluation during delete operations. Exploitation requires valid Vault credentials with specific policy patterns but does not permit cross-namespace deletion or secret data exfiltration. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0/1.21.5/1.20.10/1.19.16. No active exploitation confirmed (EPSS 0.01%), but CVSS 8.1 reflects high integrity and availability impact for authenticated attackers.

Technical ContextAI

HashiCorp Vault's Key-Value version 2 (KVv2) secrets engine implements path-based access control using HashiCorp Configuration Language (HCL) policies. Policies support glob patterns (wildcards like '*' or '+') to match multiple paths without enumerating each explicitly. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) manifests when the delete operation evaluates glob patterns incorrectly, granting delete permissions beyond the intended read/write scope. The vulnerability affects both open-source Vault (cpe:2.3:a:hashicorp:vault) and Enterprise editions (cpe:2.3:a:hashicorp:vault_enterprise) from version 0.10.0 (initial KVv2 release circa 2018) through all 1.x branches. The flaw resides in the policy evaluation logic during metadata and secret deletion API calls, not in cryptographic operations or authentication mechanisms. Namespace isolation remained intact, preventing horizontal privilege escalation across tenant boundaries in Vault Enterprise deployments.

RemediationAI

Upgrade to patched versions immediately: Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0 (all editions), 1.21.5 (for 1.21.x users), 1.20.10 (for 1.20.x users), or 1.19.16 (for 1.19.x long-term support users). Download links and upgrade instructions available in HashiCorp advisory HCSEC-2026-05 at https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342. For environments unable to upgrade immediately, implement compensating controls: audit all KVv2 policies for glob usage (search for '*' or '+' in path statements), replace glob patterns with explicit path lists where feasible (increases policy verbosity but eliminates attack surface), enable Vault audit logging to detect anomalous delete operations (log analysis overhead required), and restrict policy assignment to minimize users with glob-based KVv2 access (operational impact on teams relying on wildcard convenience). Note that removing glob patterns may require policy refactoring for complex path hierarchies, and audit log volume will increase proportionally to secret operation frequency. No workaround fully mitigates risk without patching.

More in Vault

View all
CVE-2024-0831 MEDIUM POC
6.5 Feb 01

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2020-35192 CRITICAL
9.8 Dec 17

The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9

CVE-2020-12757 CRITICAL
9.8 Jun 10

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly gener

CVE-2022-40186 CRITICAL
9.1 Sep 22

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. Rated critical severity (CVSS 9.1), this

CVE-2022-36129 CRITICAL
9.1 Jul 26

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthent

CVE-2020-10661 CRITICAL
9.1 Mar 23

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing neste

CVE-2026-4525 HIGH
8.8 Apr 17

Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2020-16251 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vuln

CVE-2020-16250 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vuln

CVE-2023-24999 HIGH
8.1 Mar 11

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle dest

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-3605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy