Skip to main content

Vault CVE-2026-5807

| EUVDEUVD-2026-23362 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-17 HashiCorp GHSA-88v5-9hxc-f85r
7.5
CVSS 3.1 · Vendor: HashiCorp
Share

Severity by source

Vendor (HashiCorp) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (HashiCorp).

CVSS VectorVendor: HashiCorp

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 15:03 nvd
Patch available
Analysis Updated
Apr 17, 2026 - 05:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 05:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 05:01 EUVD
Analysis Generated
Apr 17, 2026 - 04:41 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 04:30 euvd
EUVD-2026-23362
Analysis Generated
Apr 17, 2026 - 04:30 vuln.today
CVE Published
Apr 17, 2026 - 03:22 nvd
HIGH 7.5

DescriptionCVE.org

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

AnalysisAI

HashiCorp Vault unauthenticated denial-of-service vulnerability allows remote attackers to block critical administrative operations by monopolizing the single operation slot for root token generation and rekey workflows. Affects all Vault Community and Enterprise versions prior to 2.0.0. No active exploitation confirmed (EPSS 3rd percentile), but attack is trivially automatable per CISA SSVC framework. HashiCorp released patches in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Technical ContextAI

HashiCorp Vault is a secrets management platform used to secure, store, and control access to tokens, passwords, certificates, and encryption keys. This vulnerability exploits CWE-770 (Allocation of Resources Without Limits or Throttling) in Vault's administrative workflow handling. Vault enforces a single-operation concurrency model for sensitive operations like root token generation and cluster rekey processes-only one such operation can be in-progress at a time. The affected code path lacks rate-limiting or authentication checks on operation initiation and cancellation endpoints, allowing attackers to spam these endpoints over the network (AV:N) with no credentials required (PR:N). The CPE strings cpe:2.3:a:hashicorp:vault and cpe:2.3:a:hashicorp:vault_enterprise indicate both product lines share the vulnerable code path. ENISA tracking (EUVD-2026-23362) confirms European infrastructure exposure.

RemediationAI

Upgrade to HashiCorp Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0 per vendor advisory HCSEC-2026-08 at https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345. For environments unable to upgrade immediately, implement network-layer rate limiting on Vault API endpoints (specifically /sys/generate-root/* and /sys/rekey/* paths) to throttle unauthenticated requests-limit to 1-5 requests per minute per source IP. Deploy IP allowlisting via firewall rules or reverse proxy to restrict administrative API access to known operator networks or bastion hosts. Note that allowlisting reduces operational flexibility for distributed teams and may conflict with automated tooling that performs scheduled maintenance. Monitor Vault audit logs for abnormal volumes of generate-root or rekey initiation/cancellation events as attack indicators. Compensating controls reduce but do not eliminate risk since attackers within allowed IP ranges can still exploit the vulnerability. Testing patch in non-production is critical as Vault 2.0.0 represents a major version upgrade that may include breaking changes to plugin interfaces or configuration syntax.

More in Vault

View all
CVE-2024-0831 MEDIUM POC
6.5 Feb 01

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2020-35192 CRITICAL
9.8 Dec 17

The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9

CVE-2020-12757 CRITICAL
9.8 Jun 10

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly gener

CVE-2022-40186 CRITICAL
9.1 Sep 22

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. Rated critical severity (CVSS 9.1), this

CVE-2022-36129 CRITICAL
9.1 Jul 26

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthent

CVE-2020-10661 CRITICAL
9.1 Mar 23

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing neste

CVE-2026-4525 HIGH
8.8 Apr 17

Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2020-16251 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vuln

CVE-2020-16250 HIGH
8.2 Aug 26

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vuln

CVE-2026-3605 HIGH
8.1 Apr 17

HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-5807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy