Skip to main content

HashiCorp Vault CVE-2026-5051

| EUVDEUVD-2026-41098 MEDIUM
Path Traversal (CWE-22)
2026-07-01 HashiCorp GHSA-rx9v-2fjr-mhx5
4.4
CVSS 3.1 · Vendor: HashiCorp
Share

Severity by source

Vendor (HashiCorp) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.4 MEDIUM

Requires high-privilege credentials and non-default legacy audit path configuration (AC:H, PR:H); confidentiality impact from path traversal read with no integrity or availability effect.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HashiCorp).

CVSS VectorVendor: HashiCorp

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 19:02 EUVD
Analysis Generated
Jul 01, 2026 - 18:20 vuln.today

DescriptionCVE.org

HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used.

This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

AnalysisAI

Plugin directory guard bypass in HashiCorp Vault and Vault Enterprise allows a highly privileged, authenticated attacker to read files outside the intended audit plugin directory via path traversal. Exploitation requires network access, high-privilege credentials, and the use of the legacy file audit path option - a non-default configuration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Vault API with high-privilege credentials
Delivery
Create or modify file audit device using legacy path option
Exploit
Supply path traversal sequences in audit path field
Execution
Bypass plugin directory guard in validation logic
Impact
Read files outside the intended plugin directory boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker must possess high-privilege Vault credentials sufficient to configure audit devices - PR:H per the CVSS vector; (2) the Vault deployment must be using the legacy file audit path option for an audit device, which is a non-default configuration; and (3) the attacker must reach the Vault API over the network (AV:N), though AC:H indicates additional complexity in reliably triggering the bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.4 (Medium) reflects high attack complexity and high privilege requirements, which significantly constrain real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised Vault administrator authenticates to the Vault API with high-privilege credentials and creates or modifies a file audit device, supplying a path containing traversal sequences (e.g., '../../etc/passwd') via the legacy file audit path option. Because the plugin directory guard is not consistently enforced on this legacy code path, Vault processes the traversal, exposing file content outside the plugin directory. …
Remediation The primary fix is to upgrade HashiCorp Vault or Vault Enterprise to one of the patched releases: 2.0.1, 1.21.6, 1.20.11, or 1.19.17, as confirmed by HashiCorp's security advisory at https://discuss.hashicorp.com/t/hcsec-2026-16-vault-audit-device-plugin-directory-guard-bypass-via-legacy-path-option/77536. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Vault

View all
CVE-2024-0831 MEDIUM POC
6.5 Feb 01

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2020-35192 CRITICAL
9.8 Dec 17

The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9

CVE-2020-12757 CRITICAL
9.8 Jun 10

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly gener

CVE-2022-40186 CRITICAL
9.1 Sep 22

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. Rated critical severity (CVSS 9.1), this

CVE-2022-36129 CRITICAL
9.1 Jul 26

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthent

CVE-2020-10661 CRITICAL
9.1 Mar 23

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing neste

CVE-2026-4525 HIGH
8.8 Apr 17

Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2020-16251 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vuln

CVE-2020-16250 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vuln

CVE-2026-3605 HIGH
8.1 Apr 17

HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside

Share

CVE-2026-5051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy