{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3605", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-05T16:37:23.520Z", "datePublished": "2026-04-17T02:44:42.032Z", "dateUpdated": "2026-04-17T02:44:42.032Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0.10.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "lessThan": "2.0.0", "status": "affected", "version": "0.10.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}], "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126: Path Traversal"}]}], "metrics": [{"cvssV3_1": {"baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T02:44:42.032Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"}], "source": {"advisory": "HCSEC-2026-05", "discovery": "EXTERNAL"}, "title": "Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "id": "CVE-2026-3605", "lastModified": "2026-04-17T04:16:03.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-17T04:16:03.263", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault", "source": "cna", "vendor": "HashiCorp"}, "product": "vault", "vendor": "hashicorp"}, {"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.0,2.0.0)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.19.16"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.20.10"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.21.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault Enterprise", "source": "cna", "vendor": "HashiCorp"}, "product": "vault_enterprise", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-17T04:51:34.913618+00:00", "value": {"mitigation_remediation": ["Upgrade HashiCorp Vault Community Edition to version 2.0.0 or later.", "If using Vault Enterprise, upgrade to at least version 2.0.0, or to the patched releases 1.21.5, 1.20.10, or 1.19.16 if an upgrade to 2.0.0 is not immediately possible.", "Review and restrict glob patterns in policies to avoid granting delete permissions on kvv2 paths to users who do not need them, ensuring that delete capabilities are only granted to explicitly trusted roles."], "summary": {"action": "Patch Promptly", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "HashiCorp Vault Community Edition 2.0.0 and HashiCorp Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16 are affected by this policy bypass. Users running these releases without updating are exposed to the described deletion issue.", "description_and_impact": "An authentication and authorization flaw in HashiCorp Vault allows an authenticated user with a glob\u2011based policy on a kvv2 path to delete secrets they are not authorized to remove, which can cause downtime for the service. The vulnerability does not provide cross\u2011namespace deletion or allow reading of secret data; it is a denial\u2011of\u2011service scenario rooted in insufficient permission checks (CWE-288).", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity impact, and the lack of an EPSS score or KEV listing suggests no known widespread exploitation yet, though the absence of limitations on delete permissions makes the vulnerability readily exploitable in environments with misconfigured glob policies. An attacker must be authenticated and have policy access to the vulnerable path, but does not need any special administrative privileges beyond normal policy rights, increasing the likelihood of exploitation if privileges are misassigned."}}}}, "created": "2026-04-17T04:30:09.542395+00:00", "updated": "2026-04-17T05:00:05.502760+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$vault", "hashicorp$PRODUCT$vault_enterprise"]}