CVE-2026-5807 PUBLISHED

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Assigner: HashiCorp
Reserved: 08.04.2026 Published: 17.04.2026 Updated: 17.04.2026

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	HashiCorp
Product	Vault
Versions	Default: unaffected affected from 0 to 2.0.0 (excl.)

Vendor	HashiCorp
Product	Vault Enterprise
Versions	Default: unaffected affected from 0 to 2.0.0. (excl.)

References

https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

Impacts

CAPEC-125: Flooding