CVE-2026-3605 PUBLISHED

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

Assigner: HashiCorp
Reserved: 05.03.2026 Published: 17.04.2026 Updated: 17.04.2026

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	HashiCorp
Product	Vault
Versions	Default: unaffected affected from 0.10.0 to 2.0.0 (excl.)

Vendor	HashiCorp
Product	Vault Enterprise
Versions	Default: unaffected affected from 0.10.0 to 2.0.0 (excl.)

References

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342

Problem Types

CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE

Impacts

CAPEC-126: Path Traversal