CVE-2025-11621
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-12-29

Assigner: HashiCorp Inc.

Description
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-12-29
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11621
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
hashicorp vault From 0.6.0 (inc) to 1.16.27 (exc)
hashicorp vault From 0.6.0 (inc) to 1.21.0 (exc)
hashicorp vault From 1.18.0 (inc) to 1.18.15 (inc)
hashicorp vault From 1.19.0 (inc) to 1.19.11 (exc)
hashicorp vault From 1.20.0 (inc) to 1.20.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11621 is an authentication bypass vulnerability in HashiCorp Vault's AWS Auth method. It occurs because Vault caches AWS clients but does not verify the AWS account ID when checking this cache. If the configured bound_principal_iam role is the same across multiple AWS accounts or uses wildcards, an attacker with a matching role in a different AWS account can bypass authentication and obtain Vault tokens illegitimately. This flaw also exists in Vault's EC2 authentication method, allowing potential cross-account privilege escalation. [1]

Impact Analysis

This vulnerability can allow attackers to bypass authentication controls and gain unauthorized access to Vault tokens. As a result, attackers may access sensitive data stored in Vault and potentially escalate privileges within the Vault environment, compromising the security of your systems and data. [1]

Detection Guidance

Detection involves checking if your Vault deployment uses the AWS Auth method with the bound_principal_iam role configured identically across multiple AWS accounts or using wildcards in the ARN. You can inspect Vault configuration files or query Vault's auth methods to identify such configurations. For example, use the Vault CLI command `vault read auth/aws/config/client` to review AWS Auth method settings. Additionally, verify the Vault version to see if it is vulnerable (versions prior to Community Edition 1.21.0 or Enterprise versions prior to 1.21.0, 1.20.5, 1.19.11, and 1.16.27). There are no specific network detection commands provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Vault to the fixed versions: Vault Community Edition 1.21.0 or Vault Enterprise versions 1.21.0, 1.20.5, 1.19.11, or 1.16.27. Additionally, review and avoid using identical bound_principal_iam roles across multiple AWS accounts or wildcards in the ARN to prevent authentication bypass. Assess your Vault AWS Auth method configuration and restrict role bindings to specific AWS accounts to reduce exposure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart