Platform
go
Component
hashicorp/vault
Opgelost in
2.0.0
2.0.0
1.21.5
CVE-2026-4525 is a security vulnerability affecting HashiCorp Vault. This issue occurs when an auth mount passes through the "Authorization" header, potentially exposing Vault tokens to the backend authentication plugin. The vulnerability impacts versions 0.11.2 through 2.0.0 of Vault. A fix is available in versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
CVE-2026-4525 affects Vault when an auth mount is configured to pass through the 'Authorization' header. In this scenario, if the 'Authorization' header is used to authenticate to Vault, Vault inadvertently forwards the Vault token to the auth plugin backend. This could allow an attacker to compromise the auth plugin backend, potentially gaining access to secrets stored in Vault or performing unauthorized actions. The severity of this issue is rated as 7.5 (High) according to CVSS. Exposing Vault tokens to unintended auth plugin backends poses a significant security risk, as it could facilitate privilege escalation and unauthorized access to sensitive data. Addressing this vulnerability is crucial to protect the integrity and confidentiality of secrets managed by Vault.
This vulnerability is exploited when an attacker can control the 'Authorization' header sent to Vault. If an attacker can manipulate this header to include a valid Vault token, Vault will forward that token to the auth plugin backend. The auth plugin backend could then use this token to access resources or perform actions that the attacker should not be able to perform. The likelihood of exploitation depends on Vault's configuration and the security of the auth plugin backend. An environment where the 'Authorization' header is widely used for authentication and where the auth plugin backend is not adequately protected is more vulnerable.
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
To mitigate CVE-2026-4525, it is recommended to upgrade to a version of Vault that includes the fix. Affected versions are those prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Upgrading is the most effective solution. Alternatively, if immediate upgrading is not possible, you can disable the 'Authorization' header passthrough functionality in the auth mount configuration. Carefully review your auth mount configurations to ensure that the 'Authorization' header is not being forwarded unnecessarily. Implement strict access controls on auth plugin backends to limit the potential impact of Vault token exposure. Monitor Vault logs for suspicious activity related to authentication and header forwarding.
Actualice Vault a la versión 2.0.0, 1.21.5, 1.20.10 o 1.19.16. Desactive la autorización de paso del encabezado 'Authorization' en las configuraciones de los auth mounts, o asegúrese de que el encabezado 'Authorization' se esté utilizando únicamente para autenticarse en Vault y no se esté pasando a los backends de auth plugin.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16 are vulnerable.
Check the version of Vault you are using. If it is prior to the patched versions, you are vulnerable.
It is an HTTP header used to transmit authentication information, such as an authentication token.
It is the system or service that Vault uses to verify user credentials.
Disabling the 'Authorization' header passthrough in the auth mount configuration is a temporary workaround.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.