github.com/hashicorp/vault
Go53 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/hashicorp/vaultpage 1 of 2
- CVE-2020-10660MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.3.42020-03-23
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
- CVE-2020-10661CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.3.42020-03-23
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
- CVE-2020-13223HIGHCVSS 7.5EG 7.5✓ Fixed in 1.4.22020-06-10
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
- CVE-2020-16250HIGHCVSS 8.2EG 8.2✓ Fixed in 1.5.12020-08-26
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
- CVE-2020-16251HIGHCVSS 8.2EG 8.2✓ Fixed in 1.5.12020-08-26
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
- CVE-2020-25816MEDIUMCVSS 6.8EG 6.8✓ Fixed in 1.5.42020-09-30
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.
- CVE-2020-35177MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.6.12020-12-17
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
- CVE-2020-7220HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.22020-01-23
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
- CVE-2021-3282HIGHCVSS 7.5EG 7.5✓ Fixed in 1.6.22021-02-01
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
- CVE-2021-32923HIGHCVSS 7.4EG 7.4✓ Fixed in 1.7.22021-06-03
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring durin…
- CVE-2021-38553MEDIUMCVSS 4.4EG 4.4✓ Fixed in 1.8.02021-08-13
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
- CVE-2021-38554MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.7.42021-08-13
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
- CVE-2021-41802LOWCVSS 2.9EG 2.9✓ Fixed in 1.8.42021-10-08
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed i…
- CVE-2021-42135HIGHCVSS 8.1EG 8.1✓ Fixed in 1.8.52021-10-11
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user …
- CVE-2021-43998MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.8.52021-11-30
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting…
- CVE-2022-30689MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.10.32022-05-17
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect t…
- CVE-2022-40186CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.11.32022-09-22
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrit…
- CVE-2022-41316MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.11.42022-10-12
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not…
- CVE-2023-0620MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.13.12023-03-30
HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain …
- CVE-2023-0665MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.13.12023-03-30
HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key mater…
- CVE-2023-2121MEDIUMCVSS 4.3EG 4.3✓ Fixed in 1.13.32023-06-09
Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
- CVE-2023-24999MEDIUMCVSS 4.4EG 4.4✓ Fixed in 1.12.42023-03-11
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fi…
- CVE-2023-25000MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.13.12023-03-30
HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host …
- CVE-2023-3462MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.14.12023-07-31
HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account …
- CVE-2023-4680MEDIUMCVSS 6.8EG 6.8✓ Fixed in 1.14.32023-09-15
HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decry…
- CVE-2023-5077HIGHCVSS 7.6EG 7.6✓ Fixed in 1.13.02023-09-29
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
- CVE-2023-5954MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.15.22023-11-09
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.…
- CVE-2023-6337HIGHCVSS 7.5EG 7.5✓ Fixed in 1.15.42023-12-08
HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map …
- CVE-2024-0831MEDIUMCVSS 4.5EG 4.5✓ Fixed in 1.15.52024-02-01
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are config…
- CVE-2024-2048HIGHCVSS 8.1EG 8.1✓ Fixed in 1.15.52024-03-04
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a…
- CVE-2024-2660MEDIUMCVSS 6.4EG 6.4✓ Fixed in 1.16.02024-04-04
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is…
- CVE-2024-5798LOWCVSS 2.6EG 2.6✓ Fixed in 1.17.02024-06-12
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match,…
- CVE-2024-6468HIGHCVSS 7.5EG 7.5✓ Fixed in 1.17.22024-07-11
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address t…
- CVE-2024-7594HIGHCVSS 7.5EG 7.5✓ Fixed in 1.17.62024-09-26
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an a…
- CVE-2024-8185HIGHCVSS 7.5EG 7.5✓ Fixed in 1.18.12024-10-31
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may …
- CVE-2024-8365MEDIUMCVSS 6.2EG 6.2✓ Fixed in 1.17.52024-09-02
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the pla…
- CVE-2024-9180HIGHCVSS 7.2EG 7.2✓ Fixed in 1.18.02024-10-10
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1…
- CVE-2025-11621HIGHCVSS 8.1EG 8.1✓ Fixed in 1.21.02025-10-23
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11…
- CVE-2025-12044HIGHCVSS 7.5EG 7.5✓ Fixed in 1.21.02025-10-23
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2…
- CVE-2025-3879MEDIUMCVSS 6.6EG 6.6✓ Fixed in 1.19.12025-05-02
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Editio…
- CVE-2025-4166MEDIUMCVSS 4.5EG 4.5✓ Fixed in 1.19.32025-05-02
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault R…
- CVE-2025-4656LOWCVSS 3.1EG 3.1✓ Fixed in 1.20.02025-06-25
Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition …
- CVE-2025-6004MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.20.12025-08-01
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6011LOWCVSS 3.7EG 3.7✓ Fixed in 1.20.12025-08-01
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth me…
- CVE-2025-6013MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.20.22025-08-06
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community…
- CVE-2025-6014MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.20.12025-08-01
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.…
- CVE-2025-6015MEDIUMCVSS 5.7EG 5.7✓ Fixed in 1.20.12025-08-01
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6037MEDIUMCVSS 6.8EG 6.8✓ Fixed in 1.20.12025-08-01
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cer…
- CVE-2025-6203HIGHCVSS 7.5EG 7.5✓ Fixed in 1.20.32025-08-28
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine…
- CVE-2026-3605HIGHCVSS 8.1EG 8.12026-04-17
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user …
Check whether github.com/hashicorp/vault is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/hashicorp/vault CVEs against the assets you own.
Start Free Scan →