Plattform
go
Komponente
hashicorp/vault
Behoben in
2.0.0
1.21.5
CVE-2026-5807 is a denial-of-service (DoS) vulnerability affecting HashiCorp Vault. An unauthenticated attacker can repeatedly trigger or cancel root token generation or rekeying operations, effectively monopolizing the single in-progress operation slot within Vault. This prevents authorized administrators from performing critical management tasks, potentially leading to operational disruptions. The vulnerability impacts Vault Community Edition and Enterprise versions from 0.0.0 through 2.0.0 and is resolved in version 2.0.0.
This vulnerability allows an attacker to render HashiCorp Vault unavailable for critical administrative functions. By repeatedly initiating or canceling root token generation or rekeying processes, the attacker can exhaust the single in-progress operation slot within Vault. This prevents authorized users from performing essential tasks such as generating new root tokens or rotating existing ones, potentially leading to operational disruptions and hindering security management. The blast radius is limited to the Vault instance itself, but the impact can be significant if Vault is a central component of the infrastructure's security posture.
CVE-2026-5807 was publicly disclosed on 2026-04-17. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the vulnerability's simplicity suggests that it could be easily exploited. Monitor security advisories and threat intelligence feeds for any signs of exploitation.
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5807 is to upgrade to HashiCorp Vault version 2.0.0 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing rate limiting on root token generation and rekeying operations at the network level (e.g., using a WAF or proxy) to restrict the number of requests from a single source. Monitor Vault logs for unusual patterns of token generation or rekeying requests that could indicate an ongoing attack. After upgrading, confirm the fix by attempting to trigger multiple root token generation or rekeying operations from different sources and verifying that legitimate operations are not blocked.
Aktualisieren Sie auf Vault Community Edition 2.0.0 oder Vault Enterprise 2.0.0, um diese Vulnerabilität zu mindern. Das Update behebt den Fehler, indem der Zugriff auf Root Token Generierungs- und Rekey Operationen auf authentifizierte Benutzer beschränkt wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a denial-of-service vulnerability in HashiCorp Vault allowing an attacker to disrupt root token management, preventing legitimate users from accessing secrets.
If you are running HashiCorp Vault versions 0.0.0 through 2.0.0, you are potentially affected by this vulnerability. Check your Vault version immediately.
Upgrade to HashiCorp Vault version 2.0.0 or later to resolve the vulnerability. If upgrading is not possible, implement rate limiting as a temporary workaround.
As of the publication date, there are no publicly known exploits or active campaigns targeting CVE-2026-5807.
Refer to the official HashiCorp security advisory and the CVE details on the NIST National Vulnerability Database (NVD) for comprehensive information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.