CVE-2026-3605
Authorization Bypass in HashiCorp Vault kvv2 Path Causes DoS
Publication date: 2026-04-17
Last updated on: 2026-04-25
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | vault | From 1.20.0 (inc) to 1.20.10 (exc) |
| hashicorp | vault | From 1.21.0 (inc) to 1.21.5 (exc) |
| hashicorp | vault | From 0.10.0 (inc) to 2.0.0 (exc) |
| hashicorp | vault | From 0.10.0 (inc) to 1.19.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an authenticated user who has access to a kvv2 path through a policy containing a glob pattern to delete secrets they are not authorized to read or write.
Although the user cannot read secret data or delete secrets across namespaces, they can cause a denial-of-service by deleting unauthorized secrets.
The issue was fixed in Vault Community Edition 2.0.0 and Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
How can this vulnerability impact me? :
The primary impact of this vulnerability is denial-of-service caused by unauthorized deletion of secrets.
An attacker with authenticated access and a policy containing a glob could delete secrets they should not have permission to delete, potentially disrupting applications or services that rely on those secrets.
However, the vulnerability does not allow reading secret data or deleting secrets across namespaces.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade to a fixed version of Vault. The vulnerability is fixed in Vault Community Edition 2.0.0 and Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with access to a kvv2 path through a policy containing a glob to delete secrets they were not authorized to read or write, resulting in denial-of-service.
However, the vulnerability does not allow a malicious user to read any secret data or delete secrets across namespaces.
Because the vulnerability does not expose secret data, it primarily impacts availability rather than confidentiality or integrity of data.
Therefore, while it could affect operational availability aspects relevant to compliance, such as service availability under standards like GDPR or HIPAA, it does not directly lead to unauthorized disclosure of personal or sensitive data.
The impact on compliance would depend on how the denial-of-service affects the organization's ability to meet availability requirements under these regulations.