CVE-2026-4525 PUBLISHED

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

Assigner: HashiCorp
Reserved: 20.03.2026 Published: 17.04.2026 Updated: 17.04.2026

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	HashiCorp
Product	Vault
Versions	Default: unaffected affected from 0.11.2 to 2.0.0 (excl.)

Vendor	HashiCorp
Product	Vault Enterprise
Versions	Default: unaffected affected from 0.11.2 to 2.0.0 (excl.)

References

https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344

Problem Types

CWE-201: Insertion of Sensitive Information Into Sent Data CWE

Impacts

CAPEC-118: Collect and Analyze Information