CVE-2026-5052 — Server-Side Request Forgery in Vault

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 99.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Hashicorp Vault Enterprise Github.com Hashicorp Vault +8 more

Timeline

PublishedApr 17

Description

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages11 packages

▶CVEListV5hashicorp/vault_enterprise1.15.0 — 2.0.0

▶CVEListV5hashicorp/vault1.15.0 — 2.0.0

▶Gogithub.com/hashicorp_vault1.14.0 — 1.21.4

▶Red Hatocs4/cephcsi-rhel8

▶Red Hatodf4/cephcsi-rhel8

🔴Vulnerability Details

GHSA

HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS↗2026-04-17

▶

📋Vendor Advisories

Red Hat

Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation↗2026-04-17

▶

💬Community

Bugzilla

CVE-2026-5052 Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation↗2026-04-17

▶