github.com/hashicorp/vault (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/hashicorp/vault, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (55)
CVE-2025-6000 — CVSS 9.1 (critical): A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying…
CVE-2022-40186 — CVSS 9.1 (critical): An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a…
CVE-2020-10661 — CVSS 9.1 (critical): HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies…
CVE-2020-16250 — CVSS 8.2 (high): HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to…
CVE-2020-16251 — CVSS 8.2 (high): HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to…
CVE-2025-11621 — CVSS 8.1 (high): Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured…
CVE-2021-42135 — CVSS 8.1 (high): HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google…
CVE-2026-3605 — CVSS 8.1 (high): An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized…
CVE-2024-2048 — CVSS 8.1 (high): Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a…
CVE-2023-5077 — CVSS 7.6 (high): The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or…
CVE-2024-6468 — CVSS 7.5 (high): Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option…
CVE-2023-6337 — CVSS 7.5 (high): HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when…
CVE-2020-13223 — CVSS 7.5 (high): HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and…
CVE-2026-5807 — CVSS 7.5 (high): Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token…
CVE-2026-4525 — CVSS 7.5 (high): If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to…
CVE-2020-7220 — CVSS 7.5 (high): HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted…
CVE-2021-3282 — CVSS 7.5 (high): HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without…
CVE-2025-6203 — CVSS 7.5 (high): A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in…
CVE-2025-12044 — CVSS 7.5 (high): Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs…
CVE-2024-8185 — CVSS 7.5 (high): Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a…
CVE-2024-7594 — CVSS 7.5 (high): Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and…
CVE-2021-32923 — CVSS 7.4 (high): HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those…
CVE-2025-5999 — CVSS 7.2 (high): A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s…
CVE-2024-9180 — CVSS 7.2 (high): A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s…
CVE-2020-25816 — CVSS 6.8 (medium): HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because…
CVE-2025-6037 — CVSS 6.8 (medium): Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a…
CVE-2023-4680 — CVSS 6.8 (medium): HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent…
CVE-2025-3879 — CVSS 6.6 (medium): Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token…
CVE-2021-43998 — CVSS 6.5 (medium): HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias…
CVE-2025-6014 — CVSS 6.5 (medium): Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity…
CVE-2025-6013 — CVSS 6.5 (medium): Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and…
CVE-2023-0665 — CVSS 6.5 (medium): HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially…
CVE-2023-0620 — CVSS 6.5 (medium): HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft…
CVE-2024-2660 — CVSS 6.4 (medium): Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were…
CVE-2024-8365 — CVSS 6.2 (medium): Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured…
CVE-2023-5954 — CVSS 5.9 (medium): HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A…
CVE-2025-6015 — CVSS 5.7 (medium): Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault…
CVE-2026-5052 — CVSS 5.3 (medium): Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to…
CVE-2020-35177 — CVSS 5.3 (medium): HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
CVE-2022-41316 — CVSS 5.3 (medium): HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the…
CVE-2023-3462 — CVSS 5.3 (medium): HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests…
CVE-2021-38554 — CVSS 5.3 (medium): HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser…
CVE-2020-10660 — CVSS 5.3 (medium): HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership…
CVE-2022-30689 — CVSS 5.3 (medium): HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This…
CVE-2025-6004 — CVSS 5.3 (medium): Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in…
CVE-2023-25000 — CVSS 5.0 (medium): HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An…
CVE-2024-0831 — CVSS 4.5 (medium): Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw`…
CVE-2025-4166 — CVSS 4.5 (medium): Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit…
CVE-2021-38553 — CVSS 4.4 (medium): HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage…
CVE-2023-24999 — CVSS 4.4 (medium): HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to…
CVE-2023-2121 — CVSS 4.3 (medium): Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This…
CVE-2025-6011 — CVSS 3.7 (low): A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between…
CVE-2025-4656 — CVSS 3.1 (low): Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by…
CVE-2021-41802 — CVSS 2.9 (low): HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount…
CVE-2024-5798 — CVSS 2.6 (low): Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth…