Skip to main content

Vault CVE-2026-4525

| EUVDEUVD-2026-23345 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-17 HashiCorp GHSA-72gw-fmmr-c4r4
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.9 MEDIUM

Requires non-default header pass-through config plus attacker-controlled plugin backend (AC:H) and a valid in-flight token (PR:L); primary impact is token disclosure (C:H) with downstream replay (I:L), no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

13
Analysis Updated
Jun 30, 2026 - 04:34 vuln.today
v7 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:34 vuln.today
v6 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:33 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:33 vuln.today
v4 (cvss_changed)
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.8 (HIGH)
Patch released
Apr 27, 2026 - 15:02 nvd
Patch available
Analysis Updated
Apr 17, 2026 - 04:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 04:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 04:01 EUVD
Analysis Generated
Apr 17, 2026 - 03:34 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 03:30 euvd
EUVD-2026-23345
Analysis Generated
Apr 17, 2026 - 03:30 vuln.today
CVE Published
Apr 17, 2026 - 03:00 nvd
HIGH 7.5

DescriptionNVD

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

AnalysisAI

Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an auth mount is configured to pass through the 'Authorization' header and that same header is used to authenticate to Vault; in this case Vault forwards the caller's Vault token onward to the auth plugin backend. An authenticated client's token is thereby exposed to a plugin backend that should never see it, enabling potential impersonation and unauthorized secret access. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 3rd percentile).

More in Vault

View all
CVE-2024-0831 MEDIUM POC
6.5 Feb 01

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2020-35192 CRITICAL
9.8 Dec 17

The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9

CVE-2020-12757 CRITICAL
9.8 Jun 10

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly gener

CVE-2022-40186 CRITICAL
9.1 Sep 22

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. Rated critical severity (CVSS 9.1), this

CVE-2022-36129 CRITICAL
9.1 Jul 26

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthent

CVE-2020-10661 CRITICAL
9.1 Mar 23

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing neste

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2020-16251 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vuln

CVE-2020-16250 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vuln

CVE-2026-3605 HIGH
8.1 Apr 17

HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside

CVE-2023-24999 HIGH
8.1 Mar 11

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle dest

Vendor StatusVendor

Share

CVE-2026-4525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy