Platform
go
Component
hashicorp/vault
Fixed in
2.0.0
2.0.0
1.21.5
CVE-2026-5052 is a security vulnerability affecting HashiCorp Vault's PKI engine. The issue arises from the ACME validation process failing to properly reject local targets when issuing http-01 and tls-alpn-01 challenges, potentially allowing requests to be sent to unintended local network targets. This could result in unintended information disclosure. The vulnerability impacts Vault versions 1.15.0 through 2.0.0, and a fix is available in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
CVE-2026-5052 in Vault's PKI engine allows ACME validation to fail to reject local targets when issuing http-01 and tls-alpn-01 challenges. This means validation requests could be sent to local IP addresses within the network, even if they aren't the intended web servers. An attacker with network access could exploit this to potentially obtain sensitive information, such as data exposed on internal services that shouldn't be accessible externally. The severity of this vulnerability is considered moderate (CVSS 5.3) due to the potential for information disclosure, although exploitation requires network access.
An attacker with access to the network where Vault is running could exploit this vulnerability. The attacker could set up a rogue web server on the internal network and then use Vault to issue certificates that validate against this rogue server. This could allow the attacker to intercept HTTPS traffic destined for legitimate services or access sensitive information exposed on the rogue web server. Exploitation is more likely in environments where Vault is exposed to an insecure internal network.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
To mitigate the risk associated with CVE-2026-5052, it is recommended to upgrade Vault to a patched version. Affected versions are those prior to Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, as well as 1.21.5, 1.20.10, and 1.19.16. Additionally, review your PKI engine configuration to ensure ACME validations only target external and legitimate web servers. Implementing network segmentation and strict access controls can help limit the potential impact of a successful exploitation.
Actualice Vault a la versión 2.0.0 o a una de las versiones parcheadas (1.21.5, 1.20.10, 1.19.16) para mitigar la vulnerabilidad de Server-Side Request Forgery (SSRF) en la validación de desafíos ACME. Asegúrese de revisar las notas de la versión para cualquier cambio de configuración necesario después de la actualización. Desactive la validación de ACME si no es necesaria.
Vulnerability analysis and critical alerts directly to your inbox.
Versions prior to Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, as well as 1.21.5, 1.20.10, and 1.19.16 are vulnerable.
Check the version of Vault you are using. If it's one of the listed vulnerable versions, you should upgrade.
If you cannot upgrade immediately, consider restricting network access to Vault to prevent external attackers from exploiting the vulnerability.
Disclosed information could include sensitive data exposed on internal services, such as passwords, API keys, or personal information.
Review your PKI engine configuration to ensure ACME validations only target external and legitimate web servers. Implement strict access controls.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.