Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Requires high-privilege credentials and non-default legacy audit path configuration (AC:H, PR:H); confidentiality impact from path traversal read with no integrity or availability effect.
Primary rating from Vendor (HashiCorp).
CVSS VectorVendor: HashiCorp
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used.
This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.
AnalysisAI
Plugin directory guard bypass in HashiCorp Vault and Vault Enterprise allows a highly privileged, authenticated attacker to read files outside the intended audit plugin directory via path traversal. Exploitation requires network access, high-privilege credentials, and the use of the legacy file audit path option - a non-default configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the attacker must possess high-privilege Vault credentials sufficient to configure audit devices - PR:H per the CVSS vector; (2) the Vault deployment must be using the legacy file audit path option for an audit device, which is a non-default configuration; and (3) the attacker must reach the Vault API over the network (AV:N), though AC:H indicates additional complexity in reliably triggering the bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.4 (Medium) reflects high attack complexity and high privilege requirements, which significantly constrain real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised Vault administrator authenticates to the Vault API with high-privilege credentials and creates or modifies a file audit device, supplying a path containing traversal sequences (e.g., '../../etc/passwd') via the legacy file audit path option. Because the plugin directory guard is not consistently enforced on this legacy code path, Vault processes the traversal, exposing file content outside the plugin directory. … |
| Remediation | The primary fix is to upgrade HashiCorp Vault or Vault Enterprise to one of the patched releases: 2.0.1, 1.21.6, 1.20.11, or 1.19.17, as confirmed by HashiCorp's security advisory at https://discuss.hashicorp.com/t/hcsec-2026-16-vault-audit-device-plugin-directory-guard-bypass-via-legacy-path-option/77536. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con
The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly gener
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. Rated critical severity (CVSS 9.1), this
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthent
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing neste
Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vuln
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vuln
HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41098
GHSA-rx9v-2fjr-mhx5