https://feed.craftedsignal.io/tags/vault/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 17 Apr 2026 05:16:19 +0000https://feed.craftedsignal.io/briefs/2026-04-vault-dos/Fri, 17 Apr 2026 05:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-vault-dos/HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.HashiCorp Vault, a secrets management tool, is susceptible to a denial-of-service attack due to a flaw in its root token generation and rekey operation handling. The vulnerability, CVE-2026-5807, allows an unauthenticated attacker to repeatedly initiate or cancel these operations, effectively locking the single in-progress operation slot. This prevents legitimate administrators from performing necessary security functions. The vulnerability affects all versions prior to 2.0.0 of both Vault Community Edition and Vault Enterprise. The issue was reported publicly in April 2026 and patched in Vault version 2.0.0. Organizations using affected versions of Vault are urged to upgrade immediately to mitigate the risk of DoS attacks.

Attack Chain

1. Unauthenticated attacker sends a request to initiate a root token generation process to the Vault server’s API endpoint.
2. The Vault server accepts the request, placing the operation in the single available slot.
3. The attacker sends a request to cancel the root token generation process.
4. The Vault server cancels the operation, freeing the slot.
5. The attacker repeats steps 1-4 in rapid succession, continuously occupying and freeing the operation slot.
6. A legitimate Vault administrator attempts to initiate a root token generation or rekey operation.
7. The administrator’s request is blocked because the operation slot is perpetually occupied by the attacker’s requests.
8. The Vault server becomes effectively unresponsive for legitimate root token generation or rekey tasks, resulting in a denial of service.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, preventing legitimate Vault administrators from performing critical operations such as root token generation or rekeying. This can disrupt normal operations, hinder security incident response, and potentially lead to extended outages if root access is required for recovery. While the exact number of affected organizations is not available, any organization using Vault versions prior to 2.0.0 is potentially vulnerable. The impact severity is heightened in environments where Vault is a critical component of the infrastructure.

Recommendation

• Upgrade Vault to version 2.0.0 or later immediately to patch CVE-2026-5807.
• Monitor Vault access logs for suspicious patterns of root token generation or rekey initiation/cancellation requests, and create alerts based on those patterns using webserver log source.
• Implement rate limiting on Vault’s API endpoints to mitigate the impact of rapid request flooding.
• Deploy the provided Sigma rule to detect attempts to repeatedly initiate or cancel root token generation or rekey operations.

]]>mediumadvisorydenial-of-servicevaultcve-2026-5807https://feed.craftedsignal.io/briefs/2026-04-vault-token-leak/Fri, 17 Apr 2026 04:16:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-vault-token-leak/Vault instances configured to pass through the 'Authorization' header may forward Vault tokens to auth plugin backends when the header is used for authentication, potentially leading to token compromise; this vulnerability is tracked as CVE-2026-4525 and patched in versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.CVE-2026-4525 describes a vulnerability in HashiCorp Vault where an improperly sanitized “Authorization” header can lead to token exposure. Specifically, if a Vault auth mount is configured to pass through the “Authorization” header, and that header is used to authenticate with Vault, the Vault token itself is inadvertently forwarded to the auth plugin backend. This unintended token forwarding could allow malicious actors to gain unauthorized access if they can intercept or control the auth plugin backend. This issue affects Vault versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16 and was reported by HashiCorp. The vulnerability was patched in the aforementioned versions. Exploitation would require specific Vault configuration and the ability to influence the authentication process via the Authorization header.

Attack Chain

1. An attacker identifies a Vault instance with an auth mount configured to pass through the “Authorization” header.
2. The attacker crafts a malicious request to Vault, including a valid “Authorization” header for authentication purposes.
3. Vault processes the request and, due to the vulnerability, forwards the Vault token contained in the “Authorization” header to the configured auth plugin backend.
4. The attacker intercepts the forwarded Vault token, either by compromising the auth plugin backend or through network monitoring.
5. The attacker uses the stolen Vault token to authenticate directly to Vault, bypassing normal authentication procedures.
6. The attacker gains unauthorized access to sensitive data and secrets stored within Vault.
7. The attacker escalates privileges within the Vault environment by leveraging the compromised token’s permissions.

Impact

Successful exploitation of CVE-2026-4525 allows an attacker to steal Vault tokens, potentially granting them complete control over the Vault instance and access to all stored secrets. The severity is high due to the potential for complete compromise of sensitive data. The impact depends on the scope of secrets managed by the compromised Vault instance; in some cases, this could lead to a complete breach of the affected organization’s infrastructure. The vulnerability affects all organizations using vulnerable versions of Vault with auth mounts configured to pass through the “Authorization” header.

Recommendation

• Upgrade Vault instances to versions 2.0.0, 1.21.5, 1.20.10, or 1.19.16 or later to remediate CVE-2026-4525.
• Review Vault auth mount configurations to ensure that the “Authorization” header is not being passed through unnecessarily.
• Monitor network traffic for unauthorized access attempts using stolen Vault tokens after applying the patch.
• Implement the provided Sigma rule targeting the usage of specific auth paths after a potential compromise.

]]>highadvisoryvaulttoken-leakauthorizationcve-2026-4525https://feed.craftedsignal.io/briefs/2026-04-vault-kvv2-dos/Fri, 17 Apr 2026 04:16:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-vault-kvv2-dos/An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.CVE-2026-3605 is a vulnerability in HashiCorp Vault’s kvv2 secrets engine where an authenticated user can delete secrets they lack read/write authorization for, leading to a denial-of-service. This occurs when a policy associated with the user contains a glob allowing access to a kvv2 path. The vulnerability does not permit cross-namespace secret deletion or unauthorized data reading. This issue impacts Vault Community Edition and Vault Enterprise. Affected versions include all releases prior to the fixes in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Successful exploitation allows an attacker to disrupt applications relying on the deleted secrets.

Attack Chain

1. An attacker obtains valid credentials for a Vault user account.
2. The attacker identifies a kvv2 secrets path protected by a policy containing a glob (e.g., secret/data/*).
3. The attacker authenticates to Vault using their credentials via the Vault CLI or API (vault login -method=...).
4. The attacker uses the Vault CLI or API to attempt to delete a secret within the globbed path (vault kv delete secret/data/unauthorized-secret).
5. Due to the policy misconfiguration, the delete operation succeeds, even though the attacker lacks explicit read or write permissions for the specific secret.
6. The target secret is removed from the Vault backend.
7. Applications or services relying on the deleted secret experience failures or unexpected behavior.
8. Repeated secret deletion leads to widespread application disruption, resulting in a denial-of-service.

Impact

Successful exploitation of CVE-2026-3605 allows an authenticated user to cause a denial-of-service by deleting secrets they are not authorized to manage. While the vulnerability does not allow unauthorized data access or cross-namespace deletion, the impact can be significant for organizations relying on Vault for secrets management. The number of affected systems depends on the scope of the vulnerable policy and the attacker’s access. The primary impact is application downtime and potential data loss due to deleted secrets.

Recommendation

• Upgrade Vault Community Edition and Vault Enterprise to versions 2.0.0, 1.21.5, 1.20.10, or 1.19.16 to patch CVE-2026-3605.
• Review and revise Vault policies containing globs (secret/data/*) to ensure appropriate least-privilege access control and prevent unauthorized deletion, referencing the vulnerability description in this brief.
• Monitor Vault audit logs for secret/delete operations performed by users with policies containing broad globs, using the provided Sigma rule for guidance.
• Implement regular backups of Vault secrets to mitigate the impact of accidental or malicious deletion, in case this vulnerability is exploited.

]]>mediumadvisoryvaultkvv2denial-of-servicecve-2026-3605