Skip to main content

Vault Enterprise

4 CVEs product

Monthly

CVE-2026-5051 MEDIUM PATCH This Month

Plugin directory guard bypass in HashiCorp Vault and Vault Enterprise allows a highly privileged, authenticated attacker to read files outside the intended audit plugin directory via path traversal. Exploitation requires network access, high-privilege credentials, and the use of the legacy file audit path option - a non-default configuration. Fixed versions are 2.0.1, 1.21.6, 1.20.11, and 1.19.17; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Hashicorp Path Traversal Vault Vault Enterprise
NVD VulDB
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-5807 Go HIGH PATCH GHSA This Week

HashiCorp Vault unauthenticated denial-of-service vulnerability allows remote attackers to block critical administrative operations by monopolizing the single operation slot for root token generation and rekey workflows. Affects all Vault Community and Enterprise versions prior to 2.0.0. No active exploitation confirmed (EPSS 3rd percentile), but attack is trivially automatable per CISA SSVC framework. HashiCorp released patches in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Denial Of Service Hashicorp Vault Vault Enterprise
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4525 Go HIGH PATCH GHSA This Week

Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an auth mount is configured to pass through the 'Authorization' header and that same header is used to authenticate to Vault; in this case Vault forwards the caller's Vault token onward to the auth plugin backend. An authenticated client's token is thereby exposed to a plugin backend that should never see it, enabling potential impersonation and unauthorized secret access. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 3rd percentile).

Information Disclosure Hashicorp Vault Vault Enterprise
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3605 Go HIGH PATCH GHSA This Week

HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside their authorization scope, causing denial-of-service across versions 0.10.0 through 1.x. The flaw stems from improper access control (CWE-288) in policy glob evaluation during delete operations. Exploitation requires valid Vault credentials with specific policy patterns but does not permit cross-namespace deletion or secret data exfiltration. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0/1.21.5/1.20.10/1.19.16. No active exploitation confirmed (EPSS 0.01%), but CVSS 8.1 reflects high integrity and availability impact for authenticated attackers.

Information Disclosure Hashicorp Vault Vault Enterprise
NVD
CVSS 3.1
8.1
EPSS
0.0%
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Plugin directory guard bypass in HashiCorp Vault and Vault Enterprise allows a highly privileged, authenticated attacker to read files outside the intended audit plugin directory via path traversal. Exploitation requires network access, high-privilege credentials, and the use of the legacy file audit path option - a non-default configuration. Fixed versions are 2.0.1, 1.21.6, 1.20.11, and 1.19.17; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Hashicorp Path Traversal Vault +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

HashiCorp Vault unauthenticated denial-of-service vulnerability allows remote attackers to block critical administrative operations by monopolizing the single operation slot for root token generation and rekey workflows. Affects all Vault Community and Enterprise versions prior to 2.0.0. No active exploitation confirmed (EPSS 3rd percentile), but attack is trivially automatable per CISA SSVC framework. HashiCorp released patches in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Denial Of Service Hashicorp Vault +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Token leakage in HashiCorp Vault and Vault Enterprise (0.11.2 up to 2.0.0, 1.21.5, 1.20.10, and 1.19.16) occurs when an auth mount is configured to pass through the 'Authorization' header and that same header is used to authenticate to Vault; in this case Vault forwards the caller's Vault token onward to the auth plugin backend. An authenticated client's token is thereby exposed to a plugin backend that should never see it, enabling potential impersonation and unauthorized secret access. No public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 3rd percentile).

Information Disclosure Hashicorp Vault +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

HashiCorp Vault's KVv2 secrets engine allows authenticated users with glob-based policy access to delete secrets outside their authorization scope, causing denial-of-service across versions 0.10.0 through 1.x. The flaw stems from improper access control (CWE-288) in policy glob evaluation during delete operations. Exploitation requires valid Vault credentials with specific policy patterns but does not permit cross-namespace deletion or secret data exfiltration. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0/1.21.5/1.20.10/1.19.16. No active exploitation confirmed (EPSS 0.01%), but CVSS 8.1 reflects high integrity and availability impact for authenticated attackers.

Information Disclosure Hashicorp Vault +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy