{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vault/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5807"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vault","cve-2026-5807"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHashiCorp Vault, a secrets management tool, is susceptible to a denial-of-service attack due to a flaw in its root token generation and rekey operation handling. The vulnerability, CVE-2026-5807, allows an unauthenticated attacker to repeatedly initiate or cancel these operations, effectively locking the single in-progress operation slot. This prevents legitimate administrators from performing necessary security functions. The vulnerability affects all versions prior to 2.0.0 of both Vault Community Edition and Vault Enterprise. The issue was reported publicly in April 2026 and patched in Vault version 2.0.0. Organizations using affected versions of Vault are urged to upgrade immediately to mitigate the risk of DoS attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated attacker sends a request to initiate a root token generation process to the Vault server\u0026rsquo;s API endpoint.\u003c/li\u003e\n\u003cli\u003eThe Vault server accepts the request, placing the operation in the single available slot.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to cancel the root token generation process.\u003c/li\u003e\n\u003cli\u003eThe Vault server cancels the operation, freeing the slot.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 1-4 in rapid succession, continuously occupying and freeing the operation slot.\u003c/li\u003e\n\u003cli\u003eA legitimate Vault administrator attempts to initiate a root token generation or rekey operation.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s request is blocked because the operation slot is perpetually occupied by the attacker\u0026rsquo;s requests.\u003c/li\u003e\n\u003cli\u003eThe Vault server becomes effectively unresponsive for legitimate root token generation or rekey tasks, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, preventing legitimate Vault administrators from performing critical operations such as root token generation or rekeying. This can disrupt normal operations, hinder security incident response, and potentially lead to extended outages if root access is required for recovery. While the exact number of affected organizations is not available, any organization using Vault versions prior to 2.0.0 is potentially vulnerable. The impact severity is heightened in environments where Vault is a critical component of the infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vault to version 2.0.0 or later immediately to patch CVE-2026-5807.\u003c/li\u003e\n\u003cli\u003eMonitor Vault access logs for suspicious patterns of root token generation or rekey initiation/cancellation requests, and create alerts based on those patterns using \u003ccode\u003ewebserver\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on Vault\u0026rsquo;s API endpoints to mitigate the impact of rapid request flooding.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to repeatedly initiate or cancel root token generation or rekey operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T05:16:19Z","date_published":"2026-04-17T05:16:19Z","id":"/briefs/2026-04-vault-dos/","summary":"HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.","title":"HashiCorp Vault Denial-of-Service Vulnerability (CVE-2026-5807)","url":"https://feed.craftedsignal.io/briefs/2026-04-vault-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4525"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vault","token-leak","authorization","cve-2026-4525"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4525 describes a vulnerability in HashiCorp Vault where an improperly sanitized \u0026ldquo;Authorization\u0026rdquo; header can lead to token exposure. Specifically, if a Vault auth mount is configured to pass through the \u0026ldquo;Authorization\u0026rdquo; header, and that header is used to authenticate with Vault, the Vault token itself is inadvertently forwarded to the auth plugin backend. This unintended token forwarding could allow malicious actors to gain unauthorized access if they can intercept or control the auth plugin backend. This issue affects Vault versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16 and was reported by HashiCorp. The vulnerability was patched in the aforementioned versions. Exploitation would require specific Vault configuration and the ability to influence the authentication process via the Authorization header.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Vault instance with an auth mount configured to pass through the \u0026ldquo;Authorization\u0026rdquo; header.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to Vault, including a valid \u0026ldquo;Authorization\u0026rdquo; header for authentication purposes.\u003c/li\u003e\n\u003cli\u003eVault processes the request and, due to the vulnerability, forwards the Vault token contained in the \u0026ldquo;Authorization\u0026rdquo; header to the configured auth plugin backend.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the forwarded Vault token, either by compromising the auth plugin backend or through network monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen Vault token to authenticate directly to Vault, bypassing normal authentication procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data and secrets stored within Vault.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Vault environment by leveraging the compromised token\u0026rsquo;s permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4525 allows an attacker to steal Vault tokens, potentially granting them complete control over the Vault instance and access to all stored secrets. The severity is high due to the potential for complete compromise of sensitive data. The impact depends on the scope of secrets managed by the compromised Vault instance; in some cases, this could lead to a complete breach of the affected organization\u0026rsquo;s infrastructure. The vulnerability affects all organizations using vulnerable versions of Vault with auth mounts configured to pass through the \u0026ldquo;Authorization\u0026rdquo; header.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vault instances to versions 2.0.0, 1.21.5, 1.20.10, or 1.19.16 or later to remediate CVE-2026-4525.\u003c/li\u003e\n\u003cli\u003eReview Vault auth mount configurations to ensure that the \u0026ldquo;Authorization\u0026rdquo; header is not being passed through unnecessarily.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unauthorized access attempts using stolen Vault tokens after applying the patch.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule targeting the usage of specific auth paths after a potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T04:16:09Z","date_published":"2026-04-17T04:16:09Z","id":"/briefs/2026-04-vault-token-leak/","summary":"Vault instances configured to pass through the 'Authorization' header may forward Vault tokens to auth plugin backends when the header is used for authentication, potentially leading to token compromise; this vulnerability is tracked as CVE-2026-4525 and patched in versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.","title":"Vault Token Leak via Authorization Header Forwarding","url":"https://feed.craftedsignal.io/briefs/2026-04-vault-token-leak/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-3605"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vault","kvv2","denial-of-service","cve-2026-3605"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3605 is a vulnerability in HashiCorp Vault\u0026rsquo;s kvv2 secrets engine where an authenticated user can delete secrets they lack read/write authorization for, leading to a denial-of-service. This occurs when a policy associated with the user contains a glob allowing access to a kvv2 path. The vulnerability does \u003cem\u003enot\u003c/em\u003e permit cross-namespace secret deletion or unauthorized data reading. This issue impacts Vault Community Edition and Vault Enterprise. Affected versions include all releases prior to the fixes in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Successful exploitation allows an attacker to disrupt applications relying on the deleted secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a Vault user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a kvv2 secrets path protected by a policy containing a glob (e.g., \u003ccode\u003esecret/data/*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Vault using their credentials via the Vault CLI or API (\u003ccode\u003evault login -method=...\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Vault CLI or API to attempt to delete a secret within the globbed path (\u003ccode\u003evault kv delete secret/data/unauthorized-secret\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the policy misconfiguration, the delete operation succeeds, even though the attacker lacks explicit read or write permissions for the specific secret.\u003c/li\u003e\n\u003cli\u003eThe target secret is removed from the Vault backend.\u003c/li\u003e\n\u003cli\u003eApplications or services relying on the deleted secret experience failures or unexpected behavior.\u003c/li\u003e\n\u003cli\u003eRepeated secret deletion leads to widespread application disruption, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3605 allows an authenticated user to cause a denial-of-service by deleting secrets they are not authorized to manage. While the vulnerability does not allow unauthorized data access or cross-namespace deletion, the impact can be significant for organizations relying on Vault for secrets management. The number of affected systems depends on the scope of the vulnerable policy and the attacker\u0026rsquo;s access. The primary impact is application downtime and potential data loss due to deleted secrets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vault Community Edition and Vault Enterprise to versions 2.0.0, 1.21.5, 1.20.10, or 1.19.16 to patch CVE-2026-3605.\u003c/li\u003e\n\u003cli\u003eReview and revise Vault policies containing globs (\u003ccode\u003esecret/data/*\u003c/code\u003e) to ensure appropriate least-privilege access control and prevent unauthorized deletion, referencing the vulnerability description in this brief.\u003c/li\u003e\n\u003cli\u003eMonitor Vault audit logs for \u003ccode\u003esecret/delete\u003c/code\u003e operations performed by users with policies containing broad globs, using the provided Sigma rule for guidance.\u003c/li\u003e\n\u003cli\u003eImplement regular backups of Vault secrets to mitigate the impact of accidental or malicious deletion, in case this vulnerability is exploited.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T04:16:03Z","date_published":"2026-04-17T04:16:03Z","id":"/briefs/2026-04-vault-kvv2-dos/","summary":"An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.","title":"Vault kvv2 Policy Bypass Vulnerability Leading to Denial-of-Service (CVE-2026-3605)","url":"https://feed.craftedsignal.io/briefs/2026-04-vault-kvv2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Vault","version":"https://jsonfeed.org/version/1.1"}