Github.Com Hashicorp Vault vulnerabilities

CVE-2026-4525 [HIGH] CWE-201 HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CVE-2026-3605 [HIGH] CWE-288 HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across na

CVE-2026-5807 [HIGH] CWE-770 HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from com

CVE-2026-5052 [MEDIUM] CWE-918 HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Ed

CVE-2025-12044 [HIGH] CWE-770 Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON Vault and Vault Enterprise ("Vault") are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json

CVE-2025-11621 [HIGH] CWE-288 HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass Vault and Vault Enterprise's ("Vault") AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability is fixed in Vault Community Edition 1.21.0 and Vau

CVE-2025-6203 [HIGH] CWE-770 HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. Thi

CVE-2025-6013 [MEDIUM] CWE-156 HashiCorp Vault ldap auth method may not have correctly enforced MFA HashiCorp Vault ldap auth method may not have correctly enforced MFA Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

CVE-2025-6000 [CRITICAL] CWE-94 Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVE-2025-5999 [HIGH] CWE-266 Hashicorp Vault has Privilege Escalation Vulnerability Hashicorp Vault has Privilege Escalation Vulnerability A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

CVE-2025-6014 [MEDIUM] CWE-156 Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVE-2025-6015 [MEDIUM] CWE-307 Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVE-2025-6004 [MEDIUM] CWE-307 Hashicorp Vault has Lockout Feature Authentication Bypass Hashicorp Vault has Lockout Feature Authentication Bypass Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVE-2025-6037 [MEDIUM] CWE-295 Hashicorp Vault has Incorrect Validation for Non-CA Certificates Hashicorp Vault has Incorrect Validation for Non-CA Certificates Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that co

CVE-2025-6011 [LOW] CWE-203 Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.1

CVE-2025-4656 [LOW] CWE-1088 Vault Community Edition rekey and recovery key operations can cause denial of service Vault Community Edition rekey and recovery key operations can cause denial of service Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.1

CVE-2025-4166 [MEDIUM] CWE-209 Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability

CVE-2025-3879 [MEDIUM] CWE-863 Hashicorp Vault Community vulnerable to Incorrect Authorization Hashicorp Vault Community vulnerable to Incorrect Authorization Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

CVE-2024-8185 [HIGH] CWE-636 Hashicorp Vault vulnerable to denial of service through memory exhaustion Hashicorp Vault vulnerable to denial of service through memory exhaustion Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive

CVE-2024-9180 [HIGH] CWE-266 Vault Community Edition privilege escalation vulnerability Vault Community Edition privilege escalation vulnerability A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16