CVE-2026-3605
Received Received - Intake
Authorization Bypass in HashiCorp Vault kvv2 Path Causes DoS

Publication date: 2026-04-17

Last updated on: 2026-04-25

Assigner: HashiCorp Inc.

Description
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3605
EUVD
EUVD-2026-23346
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
hashicorp vault From 1.20.0 (inc) to 1.20.10 (exc)
hashicorp vault From 1.21.0 (inc) to 1.21.5 (exc)
hashicorp vault From 0.10.0 (inc) to 2.0.0 (exc)
hashicorp vault From 0.10.0 (inc) to 1.19.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an authenticated user who has access to a kvv2 path through a policy containing a glob pattern to delete secrets they are not authorized to read or write.

Although the user cannot read secret data or delete secrets across namespaces, they can cause a denial-of-service by deleting unauthorized secrets.

The issue was fixed in Vault Community Edition 2.0.0 and Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Impact Analysis

The primary impact of this vulnerability is denial-of-service caused by unauthorized deletion of secrets.

An attacker with authenticated access and a policy containing a glob could delete secrets they should not have permission to delete, potentially disrupting applications or services that rely on those secrets.

However, the vulnerability does not allow reading secret data or deleting secrets across namespaces.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade to a fixed version of Vault. The vulnerability is fixed in Vault Community Edition 2.0.0 and Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Compliance Impact

This vulnerability allows an authenticated user with access to a kvv2 path through a policy containing a glob to delete secrets they were not authorized to read or write, resulting in denial-of-service.

However, the vulnerability does not allow a malicious user to read any secret data or delete secrets across namespaces.

Because the vulnerability does not expose secret data, it primarily impacts availability rather than confidentiality or integrity of data.

Therefore, while it could affect operational availability aspects relevant to compliance, such as service availability under standards like GDPR or HIPAA, it does not directly lead to unauthorized disclosure of personal or sensitive data.

The impact on compliance would depend on how the denial-of-service affects the organization's ability to meet availability requirements under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart