CVE-2025-6011 — Observable Discrepancy in Vault Enterprise

CWE-203 — Observable Discrepancy7 documents4 sources

Severity

3.7LOWNVD

EPSS

0.0%

top 92.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Enterprise Github.com Hashicorp Vault Github.com Openbao Openbao +1 more

Timeline

PublishedAug 1

Latest updateAug 11

Description

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5hashicorp/vault_enterprise< 1.20.1

▶NVDhashicorp/vault1.17.0 — 1.18.12+4

▶Gogithub.com/hashicorp_vault< 1.20.1

▶Gogithub.com/openbao_openbao0.1.0 — 2.3.2+1

🔴Vulnerability Details

OSV

Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault↗2025-08-11

▶

GHSA

OpenBao has a Timing Side-Channel in the Userpass Auth Method↗2025-08-08

▶

OSV

OpenBao has a Timing Side-Channel in the Userpass Auth Method↗2025-08-08

▶

GHSA

Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users↗2025-08-01

▶

OSV

Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users↗2025-08-01

▶

📋Vendor Advisories

Red Hat

github.com/hashicorp/vault: Vault Userpass Authentication Timing Vulnerability↗2025-08-01

▶