Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.

This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 07 Aug 2025 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2024-08-01T21:25:02.659Z

Reserved: 2024-06-10T15:46:30.387Z

Link: CVE-2024-5798

cve-icon Vulnrichment

Updated: 2024-08-01T21:25:02.659Z

cve-icon NVD

Status : Analyzed

Published: 2024-06-12T19:15:51.413

Modified: 2025-08-07T16:56:44.753

Link: CVE-2024-5798

cve-icon Redhat

Severity : Low

Publid Date: 2024-06-12T00:00:00Z

Links: CVE-2024-5798 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T22:00:58Z