Description
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Published: 2026-04-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Promptly
AI Analysis

Impact

An authentication and authorization flaw in HashiCorp Vault allows an authenticated user with a glob‑based policy on a kvv2 path to delete secrets they are not authorized to remove, which can cause downtime for the service. The vulnerability does not provide cross‑namespace deletion or allow reading of secret data; it is a denial‑of‑service scenario rooted in insufficient permission checks (CWE-288).

Affected Systems

HashiCorp Vault Community Edition 2.0.0 and HashiCorp Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16 are affected by this policy bypass. Users running these releases without updating are exposed to the described deletion issue.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity impact, and the lack of an EPSS score or KEV listing suggests no known widespread exploitation yet, though the absence of limitations on delete permissions makes the vulnerability readily exploitable in environments with misconfigured glob policies. An attacker must be authenticated and have policy access to the vulnerable path, but does not need any special administrative privileges beyond normal policy rights, increasing the likelihood of exploitation if privileges are misassigned.

Generated by OpenCVE AI on April 17, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HashiCorp Vault Community Edition to version 2.0.0 or later.
  • If using Vault Enterprise, upgrade to at least version 2.0.0, or to the patched releases 1.21.5, 1.20.10, or 1.19.16 if an upgrade to 2.0.0 is not immediately possible.
  • Review and restrict glob patterns in policies to avoid granting delete permissions on kvv2 paths to users who do not need them, ensuring that delete capabilities are only granted to explicitly trusted roles.

Generated by OpenCVE AI on April 17, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
Hashicorp vault Enterprise
Vendors & Products Hashicorp
Hashicorp vault
Hashicorp vault Enterprise

Fri, 17 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Title Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Hashicorp Vault Vault Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-04-17T13:20:28.557Z

Reserved: 2026-03-05T16:37:23.520Z

Link: CVE-2026-3605

cve-icon Vulnrichment

Updated: 2026-04-17T13:20:25.836Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T04:16:03.263

Modified: 2026-04-17T15:08:25.183

Link: CVE-2026-3605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T05:00:05Z

Weaknesses