CVE-2026-4525
published 2026-04-17CVE-2026-4525: If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.41%
32.4th percentile
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | 0.11.2 – 1.21.4 | — |
| hashicorp | vault | >= 0.11.2 < 1.19.16 | 1.19.16 |
| hashicorp | vault | >= 0.11.2 < 2.0.0 | 2.0.0 |
| hashicorp | vault | >= 1.20.0 < 1.20.10 | 1.20.10 |
| hashicorp | vault | >= 1.21.0 < 1.21.5 | 1.21.5 |
| hashicorp | vault_enterprise | >= 0.11.2 < 2.0.0 | 2.0.0 |
| ocs4 | cephcsi-rhel8 | — | — |
| odf4 | cephcsi-rhel8 | — | — |
| odf4 | cephcsi-rhel9 | — | — |
| odf4 | mcg-cli-rhel9 | — | — |
| odf4 | mcg-rhel8-operator | — | — |
| odf4 | mcg-rhel9-operator | — | — |
| openshift4 | ose-baremetal-installer-rhel9 | — | — |
| openshift4 | ose-installer-rhel9 | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Vault: Vault: Information disclosure of authentication tokens via incorrect header handling
vendor_redhat·2026-04-17·CVSS 7.5
CVE-2026-4525 [HIGH] CWE-201 Vault: Vault: Information disclosure of authentication tokens via incorrect header handling
Vault: Vault: Information disclosure of authentication tokens via incorrect header handling
A flaw was found in Vault. When a Vault authentication mount is configured to pass through the "Authorization" header, and this header is used for authentication, Vault incorrectly forwards the sensitive Vault token to the authentication plugin backend. This can lead to the disclosure of authentication tokens to potentially untrusted or compromised backend plugins, enabling unauthorized access or further system compromise.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: openshift4/ose-baremeta
GHSA
HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization
ghsa·2026-04-17
CVE-2026-4525 [HIGH] CWE-201 HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization
HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
No detection rules found.
No public exploits indexed.
https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344https://access.redhat.com/security/cve/CVE-2026-4525https://bugzilla.redhat.com/show_bug.cgi?id=2459107https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4525.json
2026-04-17
Published