CVE-2025-5999Incorrect Privilege Assignment in Vault Enterprise

CWE-266Incorrect Privilege AssignmentCWE-269Improper Privilege Management9 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.0%
top 88.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Hashicorp Vault EnterpriseGithub.com Hashicorp VaultGithub.com Openbao Openbao+1 more
Timeline
PublishedAug 1
Latest updateNov 24

Description

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

CVEListV5hashicorp/vault_enterprise0.10.41.20.0
NVDhashicorp/vault0.10.41.16.22+3
Gogithub.com/hashicorp_vault0.10.41.20.0
Gogithub.com/openbao_openbao0.1.02.3.2+2

🔴Vulnerability Details

7
OSV
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation2025-11-24
GHSA
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation2025-11-24
OSV
Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault2025-08-11
OSV
OpenBao Root Namespace Operator May Elevate Token Privileges2025-08-08
GHSA
OpenBao Root Namespace Operator May Elevate Token Privileges2025-08-08

📋Vendor Advisories

1
Red Hat
github.com/hashicorp/vault: Vault Identity Token Privilege Escalation2025-08-01