CVE-2025-11621Authentication Bypass Using an Alternate Path or Channel in Vault Enterprise

CWE-288Authentication Bypass Using an Alternate Path or Channel5 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 67.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp Vault EnterpriseGithub.com Hashicorp VaultHashicorp Vault
Timeline
PublishedOct 23
Latest updateOct 30

Description

Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5hashicorp/vault_enterprise0.6.01.21.0
NVDhashicorp/vault0.6.01.16.27+4
Gogithub.com/hashicorp_vault0.6.01.21.0

🔴Vulnerability Details

3
OSV
HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault2025-10-30
GHSA
HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass2025-10-23
OSV
HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass2025-10-23

📋Vendor Advisories

1
Red Hat
github.com/hashicorp/vault: Vault AWS auth method bypass due to AWS client cache2025-10-23