HashiCorp Vault

Vault CE 1.21.0 / Enterprise 1.21.0: JSON DOS (unauthenticated)
CVE-2025-12044 7.5 - High - October 23, 2025

Vault and Vault Enterprise (Vault) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]  which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.

Allocation of Resources Without Limits or Throttling

Vault AWS Auth Bypass (CVE-2025-11621) fixed 1.21.0/1.20.5/1.19.11/1.16.27
CVE-2025-11621 8.1 - High - October 23, 2025

Vault and Vault Enterprises (Vault) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

Authentication Bypass Using an Alternate Path or Channel

Vault Memory Exhaustion via Large Payload (1.20.3+ Vulnerable)
CVE-2025-6203 7.5 - High - August 28, 2025

A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vaults auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Allocation of Resources Without Limits or Throttling

Vault LDAP MFA Bypass via username_as_alias; fixed in CE 1.20.2
CVE-2025-6013 - August 06, 2025

Vault and Vault Enterprises (Vault) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

Vault Privilege Escalation via Identity Endpoint (pre-1.20.0)
CVE-2025-5999 - August 01, 2025

A privileged Vault operator with write permissions to the root namespaces identity endpoint could escalate their own or another users token privileges to Vaults root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

Vault Privileged Operator RCE via Plugin Directory (before 1.20.1)
CVE-2025-6000 - August 01, 2025

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vaults configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault Userpass/LDAP Lockout Bypass before 1.20.1
CVE-2025-6004 - August 01, 2025

Vault and Vault Enterprises (Vault) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault Userpass Auth Timing Side Channel Username Enumeration
CVE-2025-6011 - August 01, 2025

A timing side channel in Vault and Vault Enterprises (Vault) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vaults Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault TOTP Engine Code Reuse Vulnerability (Replay) – Fixed 1.20.1
CVE-2025-6014 - August 01, 2025

Vault and Vault Enterprises (Vault) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault MFA Rate Limit Bypass & TOTP Reuse (CVE-2025-6015) before 1.20.1
CVE-2025-6015 - August 01, 2025

Vault and Vault Enterprises (Vault) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

TLS Cert Auth Issue in Vault 1.18.12-1.20.1
CVE-2025-6037 - August 01, 2025

Vault and Vault Enterprise (Vault) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vault DoS via Uncontrolled Cancellation in Rekey Ops Before 1.20.0
CVE-2025-4656 - June 25, 2025

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.

Vault Azure Auth Claims Validation Bypass (1.19.1+)
CVE-2025-3879 8.8 - High - May 02, 2025

Vault Community, Vault Enterprise (Vault) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

Vault KV Plugin v2 Log Exposure via Malformed API Payloads - Fixed in 1.19.3
CVE-2025-4166 6.5 - Medium - May 02, 2025

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Vault: DoS via Raft join API (before 1.18.1)
CVE-2024-8185 - October 31, 2024

Vault Community and Vault Enterprise (Vault) clusters using Vaults Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

Vault Priv Escalation via Root Namespace Identity Endpoint (Fixed 1.18.0)
CVE-2024-9180 7.2 - High - October 10, 2024

A privileged Vault operator with write permissions to the root namespaces identity endpoint could escalate their own or another users privileges to Vaults root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.

HashiCorp Vault SSH SE valid_principals flaw any host auth (pre-1.17.6)
CVE-2024-7594 8.8 - High - September 26, 2024

Vaults SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vaults SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

Vault 1.17.5/1.16.9 HMAC Audit Log Regression CVE-2024-8365
CVE-2024-8365 6.5 - Medium - September 02, 2024

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMACd sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Insertion of Sensitive Information into Log File

Vault DoS via proxy_protocol_behavior deny_unauthorized before 1.17.2
CVE-2024-6468 - July 11, 2024

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service. While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur. Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

Vault JWT Auth: Audience Claim Validation Bypass before 1.17.0
CVE-2024-5798 2.6 - Low - June 12, 2024

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

authentification

Vault Enterprise 1.15.8: Standby Audit Logs Sensitive HTTP Headers
CVE-2024-2877 5.5 - Medium - April 30, 2024

Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext. This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.

Vault TLS Auth OCSP Validation Flaw v1.14.0-<1.16.0
CVE-2024-2660 6.8 - Medium - April 04, 2024

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Vault TLS Cert Auth Bypass (1.15.5/1.14.10)
CVE-2024-2048 9.8 - Critical - March 04, 2024

Vault and Vault Enterprise (Vault) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

Vault Log_RAW Audit Device May Expose Sensitive Data
CVE-2024-0831 6.5 - Medium - February 01, 2024

Vault and Vault Enterprise (Vault) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

Insertion of Sensitive Information into Log File

Vault HTTP DoS via memory exhaustion 1.12.0+
CVE-2023-6337 7.5 - High - December 08, 2023

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

Allocation of Resources Without Limits or Throttling

HashiCorp Vault memory exhaustion via policy check (DDoS) - before 1.15.2
CVE-2023-5954 7.5 - High - November 09, 2023

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Memory Leak

Vault Enterprise Sentinel Role Governing Policy DoS via CrossNamespace (1.14.4)
CVE-2023-3775 4.9 - Medium - September 29, 2023

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.

Vault Google Cloud Secrets Engine Fails to Preserve IAM Conditions (pre-1.13.0)
CVE-2023-5077 7.5 - High - September 29, 2023

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

Incorrect Permission Assignment for Critical Resource

CVE-2023-4680: HashiCorp Vault Transit Engine Nonce Bypass (1.61.14.3)
CVE-2023-4680 6.8 - Medium - September 15, 2023

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

Improper Input Validation

HashiCorp Vault LDAP Auth User Enumeration (pre1.14.1/1.13.5)
CVE-2023-3462 5.3 - Medium - July 31, 2023

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Side Channel Attack

Vault Enterprise Namespace Crash <1.14.1 (CVE20233774)
CVE-2023-3774 4.9 - Medium - July 28, 2023

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.

Improper Handling of Exceptional Conditions

Vault KV-v2 Diff Viewer HTML Injection before 1.14.0 (CVE-2023-2121)
CVE-2023-2121 5.4 - Medium - June 09, 2023

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

XSS

Vault Enterprise <=1.13.1: HSM Padding Oracle on CKM_AES_CBC_PAD/CBC Attack
CVE-2023-2197 2.5 - Low - May 01, 2023

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vaults root key. Fixed in 1.13.2

Inadequate Encryption Strength

SQLi in Vault MSSQL Backend 0.8.0-1.13.1 (fixed in 1.13.1/1.12.5/1.11.9)
CVE-2023-0620 6.7 - Medium - March 30, 2023

HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9.

SQL Injection

HashiCorp Vault 1.x PKI Mount Auth Bypass (CVE-2023-0665)
CVE-2023-0665 6.5 - Medium - March 30, 2023

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Vault Shamir Secret Sharing: CacheTiming Attack (pre1.13.1)
CVE-2023-25000 4.7 - Medium - March 30, 2023

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Side Channel Attack

HashiCorp Vault AuthRole allows arbitrary secret ID deletion <1.13.0
CVE-2023-24999 8.1 - High - March 11, 2023

HashiCorp Vault and Vault Enterprises approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

AuthZ

Vault TLS Cert Auth CRL Not Loaded before 1.12 (CVE-2022-41316)
CVE-2022-41316 5.3 - Medium - October 12, 2022

HashiCorp Vault and Vault Enterprises TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

Improper Certificate Validation

HashiCorp Vault <1.11.3: Identity Alias Metadata Overwrite Unintended KV Path Access
CVE-2022-40186 9.1 - Critical - September 22, 2022

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

HashiCorp Vault Ent <1.9.8 Unauth API Allows Voter Override
CVE-2022-36129 9.1 - Critical - July 26, 2022

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts
CVE-2022-30689 5.3 - Medium - May 17, 2022

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3
CVE-2022-25243 6.5 - Medium - March 10, 2022

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.

Improper Certificate Validation

Vault Enterprise clusters using the tokenization transform feature
CVE-2022-25244 6.5 - Medium - March 10, 2022

Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend
CVE-2021-45042 4.9 - Medium - December 17, 2021

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies
CVE-2021-43998 6.5 - Medium - November 30, 2021

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine
CVE-2021-42135 8.1 - High - October 11, 2021

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.

Improper Privilege Management

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3
CVE-2021-41802 5.4 - Medium - October 08, 2021

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other users policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication
CVE-2021-27668 5.3 - Medium - August 31, 2021

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions
CVE-2021-38553 4.4 - Medium - August 13, 2021

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

Improper Preservation of Permissions

HashiCorp Vault and Vault Enterprises UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser
CVE-2021-38554 5.3 - Medium - August 13, 2021

HashiCorp Vault and Vault Enterprises UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

Improper Removal of Sensitive Information Before Storage or Transfer