SB2026041755 - Multiple vulnerabilities in Vault
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-3605)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper access control in the kvv2 metadata and secret deletion handling when accessing a kvv2 path through a policy containing a glob. A remote user can delete secrets they are not authorized to read or write to cause a denial of service.
The issue does not allow deletion across namespaces, and read access to secret data is not possible.
2) Missing Authentication for Critical Function (CVE-ID: CVE-2026-5807)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in the sys/rekey, sys/generate-root, and sys/rekey-recovery-key endpoints when handling unauthenticated root token generation or rekey requests. A remote attacker can repeatedly initiate or cancel operations to cause a denial of service.
The issue can occupy the single in-progress operation slot and prevent legitimate operators from completing these workflows.
3) Information disclosure (CVE-ID: CVE-2026-4525)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper header sanitization in the auth plugin backend request processing logic when forwarding the "Authorization" header to an auth plugin backend. A remote user can send a request authenticated with the "Authorization" header to disclose sensitive information.
Exploitation requires an auth mount to be configured to pass through the "Authorization" header.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-5052)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper restriction of server-side request targets in the PKI engine ACME challenge validation when issuing http-01 and tls-alpn-01 challenges using attacker-controlled DNS. A remote attacker can cause Vault to send challenge validation requests to local network targets to disclose sensitive information.
Depending on the Vault configuration, the challenge endpoint is either unauthenticated or requires an EAB token.
Remediation
Install update from vendor's website.
References
- https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342
- https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345
- https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344
- https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343