CVE-2026-5051

Summary

HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used.

This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.20.1 < 2.0.1affected
HashiCorpVault Enterprise1.19.0 < 2.0.1affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References