CVE-2026-3605

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*

History

25 Apr 2026, 18:08

Type	Values Removed	Values Added
First Time		Hashicorp vault Hashicorp
CPE		cpe:2.3:a:hashicorp:vault:::::-:::* cpe:2.3:a:hashicorp:vault:::::enterprise:::*
References	~~() https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342 -~~	() https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342 - Vendor Advisory

17 Apr 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-17 04:16

Updated : 2026-04-25 18:08

NVD link : CVE-2026-3605

Mitre link : CVE-2026-3605

CVE.ORG link : CVE-2026-3605

JSON object : View

Products Affected

hashicorp

vault

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

{"id": "CVE-2026-3605", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@hashicorp.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-04-17T04:16:03.263", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342", "tags": ["Vendor Advisory"], "source": "security@hashicorp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@hashicorp.com", "description": [{"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "lastModified": "2026-04-25T18:08:13.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "A10F062C-C575-44AF-B8A5-90E3BD34D2E7", "versionEndExcluding": "1.19.16", "versionStartIncluding": "0.10.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "8A5E6BEF-C182-4E5D-A908-2CD2F2437205", "versionEndExcluding": "2.0.0", "versionStartIncluding": "0.10.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "E2135CCF-F6D8-41AC-8D0C-F763F63974B4", "versionEndExcluding": "1.20.10", "versionStartIncluding": "1.20.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "C8097BD2-0B19-4BA7-930E-93A5A89EC4AF", "versionEndExcluding": "1.21.5", "versionStartIncluding": "1.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@hashicorp.com"}