CVE-2026-4525

Summary

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault0.11.2 < 2.0.0affected
HashiCorpVault Enterprise0.11.2 < 2.0.0affected

Weaknesses

  • CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

Vault: Vault: Information disclosure of authentication tokens via incorrect header handling

Additional References

References