cbcvebase.

Hashicorp Vault Enterprise vulnerabilities

41 known vulnerabilities affecting hashicorp/vault_enterprise.

Total CVEs
41
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH19MEDIUM17LOW3

Vulnerabilities

Page 1 of 3
CVE-2025-6000P3CRITICALCVSS 9.1≥ 0.8.0, < 1.20.12025-08-01
CVE-2025-6000 [CRITICAL] CWE-94 CVE-2025-6000: A privileged Vault operator within the root namespace with write permission to may obt A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
nvd
CVE-2026-4525P3HIGHCVSS 8.8≥ 0.11.2, < 2.0.02026-04-17
CVE-2026-4525 [HIGH] CWE-201 CVE-2026-4525: If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorizati If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
nvd
CVE-2025-11621P3HIGHCVSS 8.1≥ 0.6.0, < 1.21.02025-10-23
CVE-2025-11621 [HIGH] CWE-288 CVE-2025-11621: Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass i Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27
nvd
CVE-2024-2048P3CRITICALCVSS 9.8≥ 1.15.5, < 1.16.02024-03-04
CVE-2024-2048 [CRITICAL] CWE-295 CVE-2024-2048: Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client c Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.
nvd
CVE-2025-3879P3HIGHCVSS 8.8≥ 0.10.0, < 1.19.12025-05-02
CVE-2025-3879 [HIGH] CWE-863 CVE-2025-3879: Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
nvd
CVE-2024-7594P3HIGHCVSS 8.8≥ 1.7.7, < 1.17.62024-09-26
CVE-2024-7594 [HIGH] CWE-732 CVE-2024-7594: Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Comm
nvd
CVE-2026-5052P3HIGHCVSS 8.6≥ 1.15.0, < 2.0.02026-04-17
CVE-2026-5052 [HIGH] CWE-918 CVE-2026-5052: Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn- Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
nvd
CVE-2026-3605P3HIGHCVSS 8.1≥ 0.10.0, < 2.0.02026-04-17
CVE-2026-3605 [HIGH] CWE-288 CVE-2026-3605: An authenticated user with access to a kvv2 path through a policy containing a glob may be able to d An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enter
nvd
CVE-2025-6013P3HIGHCVSS 8.1≥ 1.10.0, < 1.20.22025-08-06
CVE-2025-6013 [HIGH] CWE-156 CVE-2025-6013: Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if usern Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
nvd
CVE-2026-5807P3HIGHCVSS 7.5fixed in 2.0.0.2026-04-17
CVE-2026-5807 [HIGH] CWE-770 CVE-2026-5807: Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedl Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0
nvd
CVE-2025-5999P3HIGHCVSS 7.2≥ 0.10.4, < 1.20.02025-08-01
CVE-2025-5999 [HIGH] CWE-266 CVE-2025-5999: A privileged Vault operator with write permissions to the root namespace’s identity endpoint could e A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
nvd
CVE-2024-9180P3HIGHCVSS 7.2≥ 0.10.4, < 1.18.02024-10-10
CVE-2024-9180 [HIGH] CWE-266 CVE-2024-9180: A privileged Vault operator with write permissions to the root namespace’s identity endpoint could e A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
nvd
CVE-2023-24999P3HIGHCVSS 8.1≥ 1.12.0, < 1.12.4≥ 1.11.0, < 1.11.8+1 more2023-03-11
CVE-2023-24999 [HIGH] CWE-863 CVE-2023-24999: HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with acces HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
nvd
CVE-2025-6203P3HIGHCVSS 7.5≥ 1.15.0, < 1.21.22025-08-28
CVE-2025-6203 [HIGH] CWE-770 CVE-2025-6203: A malicious user may submit a specially-crafted complex payload that otherwise meets the default req A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vau
nvd
CVE-2025-12044P3HIGHCVSS 7.5≥ 1.20.3, < 1.21.0≥ 1.19.9, < 1.19.11+2 more2025-10-23
CVE-2025-12044 [HIGH] CWE-770 CVE-2025-12044: Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when pro Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before a
nvd
CVE-2024-6468P3HIGHCVSS 7.5≥ 1.10.0, < 1.15.112024-07-11
CVE-2024-6468 [HIGH] CWE-703 CVE-2024-6468: Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP address Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to
nvd
CVE-2024-8185P3HIGHCVSS 7.5≥ 1.2.0, < 1.18.12024-10-31
CVE-2024-8185 [HIGH] CWE-636 CVE-2024-8185: Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potent
nvd
CVE-2023-4680P3MEDIUMCVSS 6.8≥ 1.14.0, < 1.14.3≥ 1.13.0, < 1.13.7+2 more2023-09-15
CVE-2023-4680 [MEDIUM] CWE-323 CVE-2023-4680: HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbi HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without
nvd
CVE-2024-5798P3HIGHCVSS 7.5≥ 0.11.0, < 1.16.22024-06-12
CVE-2024-5798 [HIGH] CWE-287 CVE-2024-5798: Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience cl Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fix
nvd
CVE-2023-6337P3HIGHCVSS 7.5≥ 1.12.0, < 1.15.42023-12-08
CVE-2023-6337 [HIGH] CWE-770 CVE-2023-6337: HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.
nvd
Hashicorp Vault Enterprise vulnerabilities | cvebase