Hashicorp Vault vulnerabilities
72 known vulnerabilities affecting hashicorp/vault.
Total CVEs
72
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH29MEDIUM33LOW3
Vulnerabilities
Page 1 of 4
CVE-2020-35192P2CRITICALCVSS 9.8≥ 0.6.0, < 0.11.62020-12-17
CVE-2020-35192 [CRITICAL] CWE-306 CVE-2020-35192: The official vault docker images before 0.11.6 contain a blank password for a root user. System usin
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
nvd
CVE-2025-6000P3CRITICALCVSS 9.1≥ 0.8.0, < 1.16.23≥ 0.8.0, < 1.20.1+3 more2025-08-01
CVE-2025-6000 [CRITICAL] CWE-94 CVE-2025-6000: A privileged Vault operator within the root namespace with write permission to may obt
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
nvd
CVE-2020-16251P3HIGHCVSS 8.2≥ 0.8.3, < 1.2.5≥ 1.3.0, < 1.3.8+2 more2020-08-26
CVE-2020-16251 [HIGH] CWE-287 CVE-2020-16251: HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
nvd
CVE-2026-4525P3HIGHCVSS 8.8≥ 0.11.2, < 1.19.16≥ 0.11.2, < 2.0.0+2 more2026-04-17
CVE-2026-4525 [HIGH] CWE-201 CVE-2026-4525: If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorizati
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
nvd
CVE-2025-11621P3HIGHCVSS 8.1≥ 0.6.0, < 1.16.27≥ 0.6.0, < 1.21.0+3 more2025-10-23
CVE-2025-11621 [HIGH] CWE-288 CVE-2025-11621: Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass i
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27
nvd
CVE-2024-2048P3CRITICALCVSS 9.8fixed in 1.14.10≥ 1.15.0, < 1.15.5+1 more2024-03-04
CVE-2024-2048 [CRITICAL] CWE-295 CVE-2024-2048: Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client c
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.
nvd
CVE-2022-36129P3CRITICALCVSS 9.1≥ 1.7.0, ≤ 1.9.7≥ 1.10.0, ≤ 1.10.4+1 more2022-07-26
CVE-2022-36129 [CRITICAL] CWE-306 CVE-2022-36129: HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.
nvd
CVE-2025-3879P3HIGHCVSS 8.8≥ 0.10.0, < 1.16.18≥ 0.10.0, < 1.19.1+3 more2025-05-02
CVE-2025-3879 [HIGH] CWE-863 CVE-2025-3879: Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
nvd
CVE-2020-16250P3HIGHCVSS 8.2≥ 0.7.1, < 1.2.5≥ 1.3.0, < 1.3.8+2 more2020-08-26
CVE-2020-16250 [HIGH] CWE-290 CVE-2020-16250: HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
nvd
CVE-2024-7594P3HIGHCVSS 8.8≥ 1.7.7, < 1.15.15≥ 1.7.7, < 1.17.6+2 more2024-09-26
CVE-2024-7594 [HIGH] CWE-732 CVE-2024-7594: Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default.
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Comm
nvd
CVE-2026-5052P3HIGHCVSS 8.6≥ 1.14.0, < 1.19.16≥ 1.14.0, < 2.0.0+3 more2026-04-17
CVE-2026-5052 [HIGH] CWE-918 CVE-2026-5052: Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
nvd
CVE-2026-3605P3HIGHCVSS 8.1≥ 0.10.0, < 1.19.16≥ 0.10.0, < 2.0.0+2 more2026-04-17
CVE-2026-3605 [HIGH] CWE-288 CVE-2026-3605: An authenticated user with access to a kvv2 path through a policy containing a glob may be able to d
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enter
nvd
CVE-2020-12757P3CRITICALCVSS 9.8≥ 1.4.0, < 1.4.22020-06-10
CVE-2020-12757 [CRITICAL] CWE-269 CVE-2020-12757: HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, m
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
nvd
CVE-2025-6013P3HIGHCVSS 8.1≥ 1.10.0, ≤ 1.15.16≥ 1.10.0, < 1.20.2+4 more2025-08-06
CVE-2025-6013 [HIGH] CWE-156 CVE-2025-6013: Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if usern
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
nvd
CVE-2026-5807P3HIGHCVSS 7.5fixed in 2.0.02026-04-17
CVE-2026-5807 [HIGH] CWE-770 CVE-2026-5807: Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedl
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0
nvd
CVE-2020-10661P3CRITICALCVSS 9.1≥ 0.11.0, ≤ 1.3.32020-03-23
CVE-2020-10661 [CRITICAL] CVE-2020-10661: HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances,
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
nvd
CVE-2022-40186P3CRITICALCVSS 9.1≥ 1.8.0, < 1.9.9≥ 1.10.0, < 1.10.6+1 more2022-09-22
CVE-2022-40186 [CRITICAL] CWE-639 CVE-2022-40186: An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in th
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may a
nvd
CVE-2025-5999P3HIGHCVSS 7.2≥ 0.10.4, < 1.16.22≥ 0.10.4, < 1.20.0+2 more2025-08-01
CVE-2025-5999 [HIGH] CWE-266 CVE-2025-5999: A privileged Vault operator with write permissions to the root namespace’s identity endpoint could e
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
nvd
CVE-2024-9180P3HIGHCVSS 7.2≥ 1.7.7, ≤ 1.17.7≥ 1.7.7, < 1.18.0+3 more2024-10-10
CVE-2024-9180 [HIGH] CWE-266 CVE-2024-9180: A privileged Vault operator with write permissions to the root namespace’s identity endpoint could e
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
nvd
CVE-2021-3282P3HIGHCVSS 7.5v1.6.0v1.6.12021-02-01
CVE-2021-3282 [HIGH] CWE-287 CVE-2021-3282: HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be execu
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
nvd
1 / 4Next →