{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5807/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5807"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vault","cve-2026-5807"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHashiCorp Vault, a secrets management tool, is susceptible to a denial-of-service attack due to a flaw in its root token generation and rekey operation handling. The vulnerability, CVE-2026-5807, allows an unauthenticated attacker to repeatedly initiate or cancel these operations, effectively locking the single in-progress operation slot. This prevents legitimate administrators from performing necessary security functions. The vulnerability affects all versions prior to 2.0.0 of both Vault Community Edition and Vault Enterprise. The issue was reported publicly in April 2026 and patched in Vault version 2.0.0. Organizations using affected versions of Vault are urged to upgrade immediately to mitigate the risk of DoS attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated attacker sends a request to initiate a root token generation process to the Vault server\u0026rsquo;s API endpoint.\u003c/li\u003e\n\u003cli\u003eThe Vault server accepts the request, placing the operation in the single available slot.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to cancel the root token generation process.\u003c/li\u003e\n\u003cli\u003eThe Vault server cancels the operation, freeing the slot.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 1-4 in rapid succession, continuously occupying and freeing the operation slot.\u003c/li\u003e\n\u003cli\u003eA legitimate Vault administrator attempts to initiate a root token generation or rekey operation.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s request is blocked because the operation slot is perpetually occupied by the attacker\u0026rsquo;s requests.\u003c/li\u003e\n\u003cli\u003eThe Vault server becomes effectively unresponsive for legitimate root token generation or rekey tasks, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, preventing legitimate Vault administrators from performing critical operations such as root token generation or rekeying. This can disrupt normal operations, hinder security incident response, and potentially lead to extended outages if root access is required for recovery. While the exact number of affected organizations is not available, any organization using Vault versions prior to 2.0.0 is potentially vulnerable. The impact severity is heightened in environments where Vault is a critical component of the infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vault to version 2.0.0 or later immediately to patch CVE-2026-5807.\u003c/li\u003e\n\u003cli\u003eMonitor Vault access logs for suspicious patterns of root token generation or rekey initiation/cancellation requests, and create alerts based on those patterns using \u003ccode\u003ewebserver\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on Vault\u0026rsquo;s API endpoints to mitigate the impact of rapid request flooding.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to repeatedly initiate or cancel root token generation or rekey operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T05:16:19Z","date_published":"2026-04-17T05:16:19Z","id":"/briefs/2026-04-vault-dos/","summary":"HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.","title":"HashiCorp Vault Denial-of-Service Vulnerability (CVE-2026-5807)","url":"https://feed.craftedsignal.io/briefs/2026-04-vault-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5807","version":"https://jsonfeed.org/version/1.1"}