SB2026041755 - Multiple vulnerabilities in Vault
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-3605)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper access control in the kvv2 metadata and secret deletion handling when accessing a kvv2 path through a policy containing a glob. A remote user can delete secrets they are not authorized to read or write to cause a denial of service.
The issue does not allow deletion across namespaces, and read access to secret data is not possible.
2) Missing Authentication for Critical Function (CVE-ID: CVE-2026-5807)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in the sys/rekey, sys/generate-root, and sys/rekey-recovery-key endpoints when handling unauthenticated root token generation or rekey requests. A remote attacker can repeatedly initiate or cancel operations to cause a denial of service.
The issue can occupy the single in-progress operation slot and prevent legitimate operators from completing these workflows.
3) Information disclosure (CVE-ID: CVE-2026-4525)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper header sanitization in the auth plugin backend request processing logic when forwarding the "Authorization" header to an auth plugin backend. A remote user can send a request authenticated with the "Authorization" header to disclose sensitive information.
Exploitation requires an auth mount to be configured to pass through the "Authorization" header.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-5052)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper restriction of server-side request targets in the PKI engine ACME challenge validation when issuing http-01 and tls-alpn-01 challenges using attacker-controlled DNS. A remote attacker can cause Vault to send challenge validation requests to local network targets to disclose sensitive information.
Depending on the Vault configuration, the challenge endpoint is either unauthenticated or requires an EAB token.
Remediation
Install update from vendor's website.
References
- https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342
- https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345
- https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344
- https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343