Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (HashiCorp).
CVSS VectorVendor: HashiCorp
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
8DescriptionCVE.org
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
AnalysisAI
HashiCorp Vault unauthenticated denial-of-service vulnerability allows remote attackers to block critical administrative operations by monopolizing the single operation slot for root token generation and rekey workflows. Affects all Vault Community and Enterprise versions prior to 2.0.0. No active exploitation confirmed (EPSS 3rd percentile), but attack is trivially automatable per CISA SSVC framework. HashiCorp released patches in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
Technical ContextAI
HashiCorp Vault is a secrets management platform used to secure, store, and control access to tokens, passwords, certificates, and encryption keys. This vulnerability exploits CWE-770 (Allocation of Resources Without Limits or Throttling) in Vault's administrative workflow handling. Vault enforces a single-operation concurrency model for sensitive operations like root token generation and cluster rekey processes-only one such operation can be in-progress at a time. The affected code path lacks rate-limiting or authentication checks on operation initiation and cancellation endpoints, allowing attackers to spam these endpoints over the network (AV:N) with no credentials required (PR:N). The CPE strings cpe:2.3:a:hashicorp:vault and cpe:2.3:a:hashicorp:vault_enterprise indicate both product lines share the vulnerable code path. ENISA tracking (EUVD-2026-23362) confirms European infrastructure exposure.
RemediationAI
Upgrade to HashiCorp Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0 per vendor advisory HCSEC-2026-08 at https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345. For environments unable to upgrade immediately, implement network-layer rate limiting on Vault API endpoints (specifically /sys/generate-root/* and /sys/rekey/* paths) to throttle unauthenticated requests-limit to 1-5 requests per minute per source IP. Deploy IP allowlisting via firewall rules or reverse proxy to restrict administrative API access to known operator networks or bastion hosts. Note that allowlisting reduces operational flexibility for distributed teams and may conflict with automated tooling that performs scheduled maintenance. Monitor Vault audit logs for abnormal volumes of generate-root or rekey initiation/cancellation events as attack indicators. Compensating controls reduce but do not eliminate risk since attackers within allowed IP ranges can still exploit the vulnerability. Testing patch in non-production is critical as Vault 2.0.0 represents a major version upgrade that may include breaking changes to plugin interfaces or configuration syntax.
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con
The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly gener
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. Rated critical severity (CVSS 9.1), this
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthent
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing neste
Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vuln
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vuln
HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23362
GHSA-88v5-9hxc-f85r