EUVD-2026-23346
GHSA-m2w4-8ggf-rj47
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
AnalysisAI
HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside their authorization scope, causing denial-of-service across versions 0.10.0 through 1.x. The flaw stems from improper access control (CWE-288) in policy glob evaluation during delete operations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all HashiCorp Vault instances and confirm KVv2 secret engine usage and glob-based policy configurations. Within 7 days: Apply vendor-released patch to all affected Vault versions (0.10.0 through latest 1.x prior to patched release-consult HashiCorp advisory for exact patched version numbers). …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today