Vault Authenticated Deletion via Policy Globbing ( 2.0.0)
CVE-2026-3605 Published on April 17, 2026
Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Weakness Type
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Products Associated with CVE-2026-3605
Want to know whenever a new CVE is published for HashiCorp Vault? stack.watch will email you.
Affected Versions
HashiCorp Vault:- Version 0.10.0 and below 2.0.0 is affected.
- Version 0.10.0 and below 2.0.0 is affected.