8.1

CVE-2026-3605

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HashicorpVault SwEditionenterprise Version >= 0.10.0 < 1.19.16
HashicorpVault SwEdition- Version >= 0.10.0 < 2.0.0
HashicorpVault SwEditionenterprise Version >= 1.20.0 < 1.20.10
HashicorpVault SwEditionenterprise Version >= 1.21.0 < 1.21.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.047
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@hashicorp.com 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.