CVE-2025-6013
published 2025-08-06CVE-2025-6013: Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs…
PriorityP347high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.47%
37.0th percentile
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.20.2 | 1.20.2 |
| github.com | openbao_openbao | >= 0 < 0.0.0-20250807212521-c52795c1ef74 | 0.0.0-20250807212521-c52795c1ef74 |
| github.com | openbao_openbao | >= 0.1.0 < 2.3.2 | 2.3.2 |
| hashicorp | vault | >= 1.10.0 < 1.20.2 | 1.20.2 |
| hashicorp | vault | 1.10.0 – 1.15.16 | — |
| hashicorp | vault | >= 1.16.0 < 1.16.24 | 1.16.24 |
| hashicorp | vault | >= 1.17.0 < 1.18.13 | 1.18.13 |
| hashicorp | vault | >= 1.19.0 < 1.19.8 | 1.19.8 |
| hashicorp | vault | >= 1.20.0 < 1.20.2 | 1.20.2 |
| hashicorp | vault_enterprise | >= 1.10.0 < 1.20.2 | 1.20.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
ghsa8.1HIGH
osv8.1HIGH
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault
osv·2025-08-11
CVE-2025-6013 HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault
HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault
HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault
OSV
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
osv·2025-08-08·CVSS 8.1
CVE-2025-55001 [HIGH] OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
### Impact
OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
LDAP methods are only vulnerable if using `username_as_alias=true`. Remove all usage of this parameter and update any entity aliases accordingly.
### References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-
GHSA
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
ghsa·2025-08-08·CVSS 8.1
CVE-2025-55001 [HIGH] CWE-156 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
### Impact
OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
LDAP methods are only vulnerable if using `username_as_alias=true`. Remove all usage of this parameter and update any entity aliases accordingly.
### References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-
OSV
HashiCorp Vault ldap auth method may not have correctly enforced MFA
osv·2025-08-06
CVE-2025-6013 [MEDIUM] HashiCorp Vault ldap auth method may not have correctly enforced MFA
HashiCorp Vault ldap auth method may not have correctly enforced MFA
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
GHSA
HashiCorp Vault ldap auth method may not have correctly enforced MFA
ghsa·2025-08-06
CVE-2025-6013 [MEDIUM] CWE-156 HashiCorp Vault ldap auth method may not have correctly enforced MFA
HashiCorp Vault ldap auth method may not have correctly enforced MFA
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Red Hat
github.com/hashicorp/vault: Vault LDAP MFA Bypass
vendor_redhat·2025-08-06·CVSS 6.5
CVE-2025-6013 [MEDIUM] CWE-156 github.com/hashicorp/vault: Vault LDAP MFA Bypass
github.com/hashicorp/vault: Vault LDAP MFA Bypass
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
A flaw was found in github.com/hashicorp/vault. The LDAP authentication method fails to properly enforce multi-factor authentication when `username_as_alias` is enabled and a user possesses multiple Common Names (CNs) containing differing leading or trailing spaces. A remote attacker authenticated as a user meeting these conditions can bypass MFA. This can allow unauthorized access to resources protected by Vault. The underlying issue i
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-06
Published