Scan free
HIGHCVE-2026-5807CVSS 7.5

CVE-2026-5807: DoS in HashiCorp Vault

Platform

go

Component

hashicorp/vault

Fixed in

2.0.0

1.21.5

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-5807 is a denial-of-service (DoS) vulnerability affecting HashiCorp Vault. An unauthenticated attacker can repeatedly trigger or cancel root token generation or rekeying operations, effectively monopolizing the single in-progress operation slot within Vault. This prevents authorized administrators from performing critical management tasks, potentially leading to operational disruptions. The vulnerability impacts Vault Community Edition and Enterprise versions from 0.0.0 through 2.0.0 and is resolved in version 2.0.0.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

The primary impact of CVE-2026-5807 is the disruption of critical Vault management workflows. Root token generation and rekeying are essential for securing and managing access to secrets stored within Vault. An attacker exploiting this vulnerability can effectively lock out legitimate administrators, preventing them from rotating tokens, granting access to new users, or responding to security incidents. This could lead to prolonged outages, compromised secrets, and a significant degradation of overall security posture. The blast radius is limited to the Vault instance itself; however, the inability to manage Vault can have cascading effects on applications and services relying on its secrets management capabilities. While not directly leading to data exfiltration, the denial of service can create a window of opportunity for other attacks.

Exploitation Context

CVE-2026-5807 was published on April 17, 2026. Severity is rated as HIGH with a CVSS score of 7.5. There are currently no publicly known proof-of-concept exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the short term. Organizations using affected versions of HashiCorp Vault should prioritize patching to prevent potential disruption.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenthashicorp/vault
VendorHashiCorp
Affected rangeFixed in
0.0.0 – 1.99.92.0.0
1.21.41.21.5

Weakness Classification (CWE)

CWE-770

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-5807 is upgrading to HashiCorp Vault version 2.0.0 or later. This version includes the fix that prevents the DoS condition. If immediate upgrading is not feasible, consider implementing rate limiting on root token generation and rekeying requests at the network level (e.g., using a WAF or proxy). This can help to mitigate the impact of repeated malicious requests. Monitor Vault logs for unusual patterns of token generation or rekeying attempts, which could indicate an ongoing attack. After upgrading, confirm the fix by attempting to trigger multiple root token generation or rekeying operations from different sources to ensure the operation slot is no longer monopolized.

How to fix

Update to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0 to mitigate this vulnerability. The update fixes the issue by limiting access to root token generation and rekey operations to authenticated users.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5807?

It's a denial-of-service vulnerability in HashiCorp Vault allowing an attacker to disrupt root token management, preventing legitimate users from accessing secrets.

Am I affected?

If you are running HashiCorp Vault versions 0.0.0 through 2.0.0, you are potentially affected by this vulnerability. Check your Vault version immediately.

How do I fix it?

Upgrade to HashiCorp Vault version 2.0.0 or later to resolve the vulnerability. If upgrading is not possible, implement rate limiting as a temporary workaround.

Is it being exploited?

As of the publication date, there are no publicly known exploits or active campaigns targeting CVE-2026-5807.

Where can I learn more?

Refer to the official HashiCorp security advisory and the CVE details on the NIST National Vulnerability Database (NVD) for comprehensive information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs