{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4525", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-20T17:47:40.835Z", "datePublished": "2026-04-17T03:00:47.561Z", "dateUpdated": "2026-04-17T03:00:47.561Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0.11.2", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "lessThan": "2.0.0", "status": "affected", "version": "0.11.2", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}], "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118: Collect and Analyze Information"}]}], "metrics": [{"cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T03:00:47.561Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"}], "source": {"advisory": "HCSEC-2026-08", "discovery": "EXTERNAL"}, "title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "id": "CVE-2026-4525", "lastModified": "2026-04-17T04:16:09.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-17T04:16:09.997", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.11.2,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault", "source": "cna", "vendor": "HashiCorp"}, "product": "vault", "vendor": "hashicorp"}, {"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.11.2,2.0.0)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.19.16"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.20.10"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.21.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault Enterprise", "source": "cna", "vendor": "HashiCorp"}, "product": "vault_enterprise", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-17T04:20:27.744411+00:00", "value": {"mitigation_remediation": ["Upgrade HashiCorp Vault to version 2.0.0 or newer, or to 1.21.5, 1.20.10, or 1.19.16 to receive the patch.", "If any Vault tokens may have been exposed, immediately rotate or revoke impacted tokens and generate new root tokens.", "Reconfigure all authentication backends to disable passthrough of the Authorization header and ensure safe handling of header data.", "Implement comprehensive input validation or header sanitization for any internal components that process Authorization headers to prevent future token leakage."], "summary": {"action": "Patch Now", "impact": "Vault Token Exposure"}, "threat_synthesis": {"affected_systems": "HashiCorp Vault and Vault Enterprise are affected. All releases older than 2.0.0, 1.21.5, 1.20.10, or 1.19.16 contain the vulnerability.", "description_and_impact": "Vault allows the Authorization header to be forwarded to authentication backends when the header is used for authenticating to Vault. The forwarded header contains the Vault token, which is mistakenly exposed to the auth plugin. This leakage of the token can enable an attacker to impersonate the user with the token's privileges. The weakness is an insecure handling of sensitive data (CWE-201), compromising confidentiality and potentially providing full access to Vault resources.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity. EPSS data is not available, but public exploitation is not documented and the issue is not listed in the CISA KEV catalog. The attack requires the ability to configure an auth mount to use the Authorization header passthrough, which is typically a privilege of internal users or an attacker who compromises the configuration process. An attacker who can achieve this can retrieve a Vault token and perform unauthorized actions."}}}}, "created": "2026-04-17T04:30:09.541843+00:00", "updated": "2026-04-17T04:30:09.624393+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$vault", "hashicorp$PRODUCT$vault_enterprise"]}