Platform
go
Component
hashicorp/vault
Fixed in
2.0.0
2.0.0
1.21.5
CVE-2026-3605 is a denial-of-service vulnerability affecting HashiCorp Vault versions 0.10.0 through 2.0.0. An authenticated user with a policy granting access to a kvv2 path using a wildcard can inadvertently delete secrets they are not authorized to modify. This vulnerability does not allow for secret data exfiltration or cross-namespace secret deletion, but can disrupt service availability.
The primary impact of CVE-2026-3605 is denial-of-service. An attacker, possessing valid Vault credentials and a policy containing a glob pattern granting access to a kvv2 path, can trigger unintended secret deletion. This can lead to application failures, data unavailability, and disruption of critical workflows that rely on the affected secrets. While the vulnerability is limited to the scope of the user's policy and does not permit reading secret data, the loss of secrets can still have significant operational consequences. The blast radius is limited to the secrets accessible through the affected policy, preventing widespread compromise.
CVE-2026-3605 was publicly disclosed on 2026-04-17. The vulnerability's severity is rated HIGH with a CVSS score of 8.1. There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. The vulnerability stems from a flaw in policy evaluation logic within Vault's kvv2 API.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-3605 is to upgrade HashiCorp Vault to a patched version: 2.0.0, 1.21.5, 1.20.10, or 1.19.16. If immediate upgrade is not feasible, review and restrict the permissions granted by kvv2 policies, ensuring that wildcard patterns are used cautiously and do not inadvertently grant excessive deletion privileges. Consider implementing stricter access controls and auditing to detect and prevent unauthorized secret deletion attempts. After upgrade, confirm the fix by attempting to delete a secret with a policy that previously allowed unintended deletion; the operation should be denied.
Upgrade to Vault Community Edition 2.0.0 or one of the following versions: 1.21.5, 1.20.10, or 1.19.16. This update corrects a vulnerability that allows authenticated users with access to a kvv2 path through a policy with a wildcard to delete secrets they are not authorized to read or write, which can lead to denial-of-service. Refer to the official HashiCorp documentation for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3605 is a denial-of-service vulnerability in HashiCorp Vault versions 0.10.0–2.0.0 where an authenticated user with a permissive policy can delete secrets they lack write access to.
You are affected if you are running HashiCorp Vault versions 0.10.0 through 2.0.0 and using kvv2 paths with wildcard patterns in your policies.
Upgrade to HashiCorp Vault version 2.0.0, 1.21.5, 1.20.10, or 1.19.16. Review and restrict kvv2 policy permissions.
As of now, there are no confirmed reports of active exploitation of CVE-2026-3605.
Refer to the official HashiCorp security advisory for CVE-2026-3605 on the HashiCorp website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.