CVE-2026-4525

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*

History

27 Apr 2026, 15:02

Type	Values Removed	Values Added
CPE		cpe:2.3:a:hashicorp:vault:::::-:::* cpe:2.3:a:hashicorp:vault:::::enterprise:::*
First Time		Hashicorp vault Hashicorp
References	~~() https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344 -~~	() https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344 - Vendor Advisory

17 Apr 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-17 04:16

Updated : 2026-04-27 15:02

NVD link : CVE-2026-4525

Mitre link : CVE-2026-4525

CVE.ORG link : CVE-2026-4525

JSON object : View

Products Affected

hashicorp

vault

CWE

CWE-201

Insertion of Sensitive Information Into Sent Data

{"id": "CVE-2026-4525", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@hashicorp.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-04-17T04:16:09.997", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344", "tags": ["Vendor Advisory"], "source": "security@hashicorp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@hashicorp.com", "description": [{"lang": "en", "value": "CWE-201"}]}], "descriptions": [{"lang": "en", "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "lastModified": "2026-04-27T15:02:47.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "E12BA6D9-0FDE-4CA9-8D01-35CD029D15D2", "versionEndExcluding": "1.19.16", "versionStartIncluding": "0.11.2"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "48995D65-70D6-476A-ACD7-2A8F527D2975", "versionEndExcluding": "2.0.0", "versionStartIncluding": "0.11.2"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "E2135CCF-F6D8-41AC-8D0C-F763F63974B4", "versionEndExcluding": "1.20.10", "versionStartIncluding": "1.20.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "C8097BD2-0B19-4BA7-930E-93A5A89EC4AF", "versionEndExcluding": "1.21.5", "versionStartIncluding": "1.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@hashicorp.com"}