Main Vulnerability Database Vulnerabilities #VU113697

#VU113697 Permissions, Privileges, and Access Controls in Vault and Vault Enterprise - CVE-2025-5999

Published: August 6, 2025

Vulnerability identifier: #VU113697

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-5999

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault
Vault Enterprise

Software vendor:
HashiCorp

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to application does not properly impose security restrictions. A privileged Vault operator with write permissions to the root namespace’s identity endpoint can escalate their own or another user’s token privileges to Vault’s root policy.

Remediation

Install updates from vendor's website.

External links

https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032

#VU113697 Permissions, Privileges, and Access Controls in Vault and Vault Enterprise - CVE-2025-5999

Description

Remediation

External links

Please verify you're human