Description
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Published: 2026-04-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Promptly
AI Analysis

Impact

An authentication and authorization flaw in HashiCorp Vault allows an authenticated user with a glob‑based policy on a kvv2 path to delete secrets they are not authorized to remove, which can cause downtime for the service. The vulnerability does not provide cross‑namespace deletion or allow reading of secret data; it is a denial‑of‑service scenario rooted in insufficient permission checks (CWE-288) and an authorization bypass through user‑controlled keys (CWE-639).

Affected Systems

HashiCorp Vault Community Edition 2.0.0 and HashiCorp Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16 are affected by this policy bypass. Users running these releases without updating are exposed to the described deletion issue.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity impact, and the EPSS score of <1% combined with a KEV absence suggests no known widespread exploitation yet, though the lack of delete permission restrictions makes the vulnerability readily exploitable in environments with misconfigured glob policies. The flaw stems from insufficient permission checks (CWE-288) and an authorization bypass through user‑controlled keys (CWE-639). An attacker must be authenticated and have policy access to the vulnerable path, but does not need any special administrative privileges beyond normal policy rights, increasing the likelihood of exploitation if privileges are misassigned.

Generated by OpenCVE AI on April 18, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HashiCorp Vault Community Edition to version 2.0.0 or later.
  • If using Vault Enterprise, upgrade to at least version 2.0.0, or to the patched releases 1.21.5, 1.20.10, or 1.19.16 if an upgrade to 2.0.0 is not immediately possible.
  • Review and restrict glob patterns in policies to avoid granting delete permissions on kvv2 paths to users who do not need them, ensuring that delete capabilities are only granted to explicitly trusted roles.

Generated by OpenCVE AI on April 18, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2w4-8ggf-rj47 HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service
History

Sat, 25 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
Hashicorp vault Enterprise
Vendors & Products Hashicorp
Hashicorp vault
Hashicorp vault Enterprise

Fri, 17 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Title Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Hashicorp Vault Vault Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-04-17T17:57:55.431Z

Reserved: 2026-03-05T16:37:23.520Z

Link: CVE-2026-3605

cve-icon Vulnrichment

Updated: 2026-04-17T13:20:25.836Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T04:16:03.263

Modified: 2026-04-25T18:08:13.057

Link: CVE-2026-3605

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-17T02:44:42Z

Links: CVE-2026-3605 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses