Description
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Published: 2026-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Vault Token Exposure
Action: Patch Now
AI Analysis

Impact

Vault allows the Authorization header to be forwarded to authentication backends when the header is used for authenticating to Vault. The forwarded header contains the Vault token, which is mistakenly exposed to the auth plugin. This leakage of the token can enable an attacker to impersonate the user with the token's privileges. The weakness is an insecure handling of sensitive data (CWE-201), compromising confidentiality and potentially providing full access to Vault resources.

Affected Systems

HashiCorp Vault and Vault Enterprise are affected. All releases older than 2.0.0, 1.21.5, 1.20.10, or 1.19.16 contain the vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity. EPSS data is not available, but public exploitation is not documented and the issue is not listed in the CISA KEV catalog. The attack requires the ability to configure an auth mount to use the Authorization header passthrough, which is typically a privilege of internal users or an attacker who compromises the configuration process. An attacker who can achieve this can retrieve a Vault token and perform unauthorized actions.

Generated by OpenCVE AI on April 17, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HashiCorp Vault to version 2.0.0 or newer, or to 1.21.5, 1.20.10, or 1.19.16 to receive the patch.
  • If any Vault tokens may have been exposed, immediately rotate or revoke impacted tokens and generate new root tokens.
  • Reconfigure all authentication backends to disable passthrough of the Authorization header and ensure safe handling of header data.
  • Implement comprehensive input validation or header sanitization for any internal components that process Authorization headers to prevent future token leakage.

Generated by OpenCVE AI on April 17, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
Hashicorp vault Enterprise
Vendors & Products Hashicorp
Hashicorp vault
Hashicorp vault Enterprise

Fri, 17 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Title Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hashicorp Vault Vault Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-04-17T17:22:41.255Z

Reserved: 2026-03-20T17:47:40.835Z

Link: CVE-2026-4525

cve-icon Vulnrichment

Updated: 2026-04-17T13:19:29.212Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T04:16:09.997

Modified: 2026-04-17T15:08:25.183

Link: CVE-2026-4525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T04:30:09Z

Weaknesses