CVE-2026-5052
published 2026-04-17CVE-2026-5052: Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent…
PriorityP349high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.33%
24.9th percentile
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | 1.14.0 – 1.21.4 | — |
| hashicorp | vault | >= 1.14.0 < 1.19.16 | 1.19.16 |
| hashicorp | vault | >= 1.14.0 < 2.0.0 | 2.0.0 |
| hashicorp | vault | >= 1.15.0 < 2.0.0 | 2.0.0 |
| hashicorp | vault | >= 1.20.0 < 1.20.10 | 1.20.10 |
| hashicorp | vault | >= 1.21.0 < 1.21.5 | 1.21.5 |
| hashicorp | vault_enterprise | >= 1.15.0 < 2.0.0 | 2.0.0 |
| ocs4 | cephcsi-rhel8 | — | — |
| odf4 | cephcsi-rhel8 | — | — |
| odf4 | cephcsi-rhel9 | — | — |
| odf4 | mcg-cli-rhel9 | — | — |
| odf4 | mcg-rhel8-operator | — | — |
| odf4 | mcg-rhel9-operator | — | — |
| openshift4 | ose-baremetal-installer-rhel9 | — | — |
| openshift4 | ose-installer-rhel9 | — | — |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation
vendor_redhat·2026-04-17·CVSS 5.3
CVE-2026-5052 [MEDIUM] CWE-918 Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation
Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation
A flaw was found in Vault’s PKI engine. The ACME (Automated Certificate Management Environment) validation process did not properly restrict requests to local network targets when handling http-01 and tls-alpn-01 challenges. This vulnerability, known as Server-Side Request Forgery (SSRF), could allow a remote attacker to send crafted ACME validation challenges, potentially leading to the disclosure of sensitive information from internal network resources.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stabi
GHSA
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
ghsa·2026-04-17
CVE-2026-5052 [MEDIUM] CWE-918 HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
No detection rules found.
No public exploits indexed.
2026-04-17
Published