Skip to main content

Hashicorp CVE-2026-5052

| EUVDEUVD-2026-23344 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-17 HashiCorp GHSA-8r5m-3f66-qpr3
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 15:03 nvd
Patch available
Patch available
Apr 17, 2026 - 04:01 EUVD
Analysis Generated
Apr 17, 2026 - 03:33 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 03:30 euvd
EUVD-2026-23344
Analysis Generated
Apr 17, 2026 - 03:30 vuln.today
CVE Published
Apr 17, 2026 - 02:55 nvd
MEDIUM 5.3

DescriptionCVE.org

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

AnalysisAI

Server-side request forgery (SSRF) in HashiCorp Vault's PKI engine ACME validation allows unauthenticated remote attackers to send http-01 and tls-alpn-01 challenge requests to local network targets by controlling DNS responses, potentially disclosing sensitive information from internal services. The vulnerability affects Vault Community Edition before 2.0.0 and Vault Enterprise before 1.19.16, 1.20.10, or 1.21.5. HashiCorp has released patched versions; no public exploit code has been identified at the time of analysis.

Technical ContextAI

HashiCorp Vault's PKI (Public Key Infrastructure) engine implements ACME (Automated Certificate Management Environment) challenge validation as specified in RFC 8555. The http-01 and tls-alpn-01 challenge types require the server to validate control of a domain by connecting to the subject domain at specified ports (typically 80 for http-01 and 443 for tls-alpn-01). The vulnerability stems from CWE-918 (Server-Side Request Forgery), where the ACME validation logic fails to reject challenge requests that resolve to private/local network addresses (RFC 1918 ranges, loopback, link-local, multicast). By controlling DNS responses (through DNS hijacking, cache poisoning, or rogue authoritative servers), an attacker can cause Vault to send ACME challenge validation requests to internal network targets instead of public-facing infrastructure, enabling reconnaissance and information disclosure from services not directly accessible externally.

RemediationAI

Upgrade to Vault Community Edition 2.0.0 or later, or Vault Enterprise to version 1.19.16, 1.20.10, 1.21.5, or later, as specified in the HashiCorp advisory. If immediate upgrade is not feasible, restrict network access to Vault's ACME endpoints by implementing firewall rules or reverse-proxy ACLs that limit ACME requests to trusted certificate management systems and clients. Additionally, monitor and log all ACME challenge validation requests (including destination IP and hostname) to detect suspicious outbound connections to private network ranges. Disable the PKI engine's ACME feature entirely if not in use. Implement DNS security controls such as DNSSEC validation, DNS query logging, and isolation of Vault's DNS resolver from untrusted networks to mitigate DNS hijacking attacks that could redirect challenge validation to local targets. Be aware that blocking private IP ranges at the firewall level will prevent legitimate use cases where ACME validation must reach internal services; evaluate your certificate issuance workflow before applying this control.

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Vendor StatusVendor

Share

CVE-2026-5052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy