Scan free
HIGHCVE-2026-4525CVSS 7.5

CVE-2026-4525: HashiCorp Vault Auth Header Leak - High

Platform

go

Component

hashicorp/vault

Fixed in

2.0.0

2.0.0

1.21.5

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026
View on NVD
Save

CVE-2026-4525 is a security vulnerability affecting HashiCorp Vault. This issue occurs when an auth mount passes through the "Authorization" header, potentially exposing Vault tokens to the backend authentication plugin. The vulnerability impacts versions 0.11.2 through 2.0.0 of Vault. A fix is available in versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

CVE-2026-4525 affects Vault when an auth mount is configured to pass through the 'Authorization' header. In this scenario, if the 'Authorization' header is used to authenticate to Vault, Vault inadvertently forwards the Vault token to the auth plugin backend. This could allow an attacker to compromise the auth plugin backend, potentially gaining access to secrets stored in Vault or performing unauthorized actions. The severity of this issue is rated as 7.5 (High) according to CVSS. Exposing Vault tokens to unintended auth plugin backends poses a significant security risk, as it could facilitate privilege escalation and unauthorized access to sensitive data. Addressing this vulnerability is crucial to protect the integrity and confidentiality of secrets managed by Vault.

Exploitation Context

This vulnerability is exploited when an attacker can control the 'Authorization' header sent to Vault. If an attacker can manipulate this header to include a valid Vault token, Vault will forward that token to the auth plugin backend. The auth plugin backend could then use this token to access resources or perform actions that the attacker should not be able to perform. The likelihood of exploitation depends on Vault's configuration and the security of the auth plugin backend. An environment where the 'Authorization' header is widely used for authentication and where the auth plugin backend is not adequately protected is more vulnerable.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenthashicorp/vault
VendorHashiCorp
Affected rangeFixed in
0.11.2 – 2.0.02.0.0
0.11.2 – 2.0.02.0.0
0.11.2 – 1.21.41.21.5

Weakness Classification (CWE)

CWE-201

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

To mitigate CVE-2026-4525, it is recommended to upgrade to a version of Vault that includes the fix. Affected versions are those prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Upgrading is the most effective solution. Alternatively, if immediate upgrading is not possible, you can disable the 'Authorization' header passthrough functionality in the auth mount configuration. Carefully review your auth mount configurations to ensure that the 'Authorization' header is not being forwarded unnecessarily. Implement strict access controls on auth plugin backends to limit the potential impact of Vault token exposure. Monitor Vault logs for suspicious activity related to authentication and header forwarding.

How to fix

Actualice Vault a la versión 2.0.0, 1.21.5, 1.20.10 o 1.19.16.  Desactive la autorización de paso del encabezado 'Authorization' en las configuraciones de los auth mounts, o asegúrese de que el encabezado 'Authorization' se esté utilizando únicamente para autenticarse en Vault y no se esté pasando a los backends de auth plugin.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4525 in HashiCorp Vault?

Versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16 are vulnerable.

Am I affected by CVE-2026-4525 in HashiCorp Vault?

Check the version of Vault you are using. If it is prior to the patched versions, you are vulnerable.

How do I fix CVE-2026-4525 in HashiCorp Vault?

It is an HTTP header used to transmit authentication information, such as an authentication token.

Is CVE-2026-4525 being actively exploited?

It is the system or service that Vault uses to verify user credentials.

Where can I find the official HashiCorp Vault advisory for CVE-2026-4525?

Disabling the 'Authorization' header passthrough in the auth mount configuration is a temporary workaround.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs