CVE-2026-3605
published 2026-04-17CVE-2026-3605: An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write…
PriorityP349high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.38%
29.5th percentile
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | 0.10.0 – 1.21.4 | — |
| hashicorp | vault | >= 0.10.0 < 1.19.16 | 1.19.16 |
| hashicorp | vault | >= 0.10.0 < 2.0.0 | 2.0.0 |
| hashicorp | vault | >= 1.20.0 < 1.20.10 | 1.20.10 |
| hashicorp | vault | >= 1.21.0 < 1.21.5 | 1.21.5 |
| hashicorp | vault_enterprise | >= 0.10.0 < 2.0.0 | 2.0.0 |
| ocs4 | cephcsi-rhel8 | — | — |
| odf4 | cephcsi-rhel8 | — | — |
| odf4 | cephcsi-rhel9 | — | — |
| odf4 | mcg-cli-rhel9 | — | — |
| odf4 | mcg-rhel8-operator | — | — |
| odf4 | mcg-rhel9-operator | — | — |
| openshift4 | ose-baremetal-installer-rhel9 | — | — |
| openshift4 | ose-installer-rhel9 | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Vault: Vault: Denial of Service due to unauthorized secret deletion via policy bypass
vendor_redhat·2026-04-17·CVSS 8.1
CVE-2026-3605 [HIGH] CWE-639 Vault: Vault: Denial of Service due to unauthorized secret deletion via policy bypass
Vault: Vault: Denial of Service due to unauthorized secret deletion via policy bypass
A flaw was found in Vault. An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This vulnerability can lead to a denial-of-service by allowing the deletion of critical data. It does not permit a malicious user to delete secrets across namespaces or read any secret data.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: openshift4/ose-baremetal-installer-rhel9 (Red Hat OpenShift Container Platform 4)
GHSA
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service
ghsa·2026-04-17
CVE-2026-3605 [HIGH] CWE-288 HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
No detection rules found.
No public exploits indexed.
https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342https://access.redhat.com/security/cve/CVE-2026-3605https://bugzilla.redhat.com/show_bug.cgi?id=2459105https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3605.json
2026-04-17
Published