CVE-2026-5052 PUBLISHED

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

Assigner: HashiCorp
Reserved: 27.03.2026 Published: 17.04.2026 Updated: 17.04.2026

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	HashiCorp
Product	Vault
Versions	Default: unaffected affected from 1.15.0 to 2.0.0 (excl.)

Vendor	HashiCorp
Product	Vault Enterprise
Versions	Default: unaffected affected from 1.15.0 to 2.0.0 (excl.)

References

https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343

Problem Types

CWE-918: Server-Side Request Forgery (SSRF) CWE

Impacts

CAPEC-118: Collect and Analyze Information