{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kvv2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-3605"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vault","kvv2","denial-of-service","cve-2026-3605"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3605 is a vulnerability in HashiCorp Vault\u0026rsquo;s kvv2 secrets engine where an authenticated user can delete secrets they lack read/write authorization for, leading to a denial-of-service. This occurs when a policy associated with the user contains a glob allowing access to a kvv2 path. The vulnerability does \u003cem\u003enot\u003c/em\u003e permit cross-namespace secret deletion or unauthorized data reading. This issue impacts Vault Community Edition and Vault Enterprise. Affected versions include all releases prior to the fixes in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Successful exploitation allows an attacker to disrupt applications relying on the deleted secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a Vault user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a kvv2 secrets path protected by a policy containing a glob (e.g., \u003ccode\u003esecret/data/*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Vault using their credentials via the Vault CLI or API (\u003ccode\u003evault login -method=...\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Vault CLI or API to attempt to delete a secret within the globbed path (\u003ccode\u003evault kv delete secret/data/unauthorized-secret\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the policy misconfiguration, the delete operation succeeds, even though the attacker lacks explicit read or write permissions for the specific secret.\u003c/li\u003e\n\u003cli\u003eThe target secret is removed from the Vault backend.\u003c/li\u003e\n\u003cli\u003eApplications or services relying on the deleted secret experience failures or unexpected behavior.\u003c/li\u003e\n\u003cli\u003eRepeated secret deletion leads to widespread application disruption, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3605 allows an authenticated user to cause a denial-of-service by deleting secrets they are not authorized to manage. While the vulnerability does not allow unauthorized data access or cross-namespace deletion, the impact can be significant for organizations relying on Vault for secrets management. The number of affected systems depends on the scope of the vulnerable policy and the attacker\u0026rsquo;s access. The primary impact is application downtime and potential data loss due to deleted secrets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vault Community Edition and Vault Enterprise to versions 2.0.0, 1.21.5, 1.20.10, or 1.19.16 to patch CVE-2026-3605.\u003c/li\u003e\n\u003cli\u003eReview and revise Vault policies containing globs (\u003ccode\u003esecret/data/*\u003c/code\u003e) to ensure appropriate least-privilege access control and prevent unauthorized deletion, referencing the vulnerability description in this brief.\u003c/li\u003e\n\u003cli\u003eMonitor Vault audit logs for \u003ccode\u003esecret/delete\u003c/code\u003e operations performed by users with policies containing broad globs, using the provided Sigma rule for guidance.\u003c/li\u003e\n\u003cli\u003eImplement regular backups of Vault secrets to mitigate the impact of accidental or malicious deletion, in case this vulnerability is exploited.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T04:16:03Z","date_published":"2026-04-17T04:16:03Z","id":"/briefs/2026-04-vault-kvv2-dos/","summary":"An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.","title":"Vault kvv2 Policy Bypass Vulnerability Leading to Denial-of-Service (CVE-2026-3605)","url":"https://feed.craftedsignal.io/briefs/2026-04-vault-kvv2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Kvv2","version":"https://jsonfeed.org/version/1.1"}