8.8

CVE-2026-4525

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HashicorpVault SwEditionenterprise Version >= 0.11.2 < 1.19.16
HashicorpVault SwEdition- Version >= 0.11.2 < 2.0.0
HashicorpVault SwEditionenterprise Version >= 1.20.0 < 1.20.10
HashicorpVault SwEditionenterprise Version >= 1.21.0 < 1.21.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.41% 0.324
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@hashicorp.com 7.5 1.6 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 1.6 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-4525
https://bugzilla.redhat.com/show_bug.cgi?id=2459107
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4525.json