HIGHCVE-2026-4525Published 2026-04-17Modified 2026-04-17CNA HashiCorp

CVE-2026-4525: Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 2.0.0
Affected Products: 2

Fix available

2.0.0

Affected packages

HashiCorp / Vault
< 2.0.0 (from 0.11.2)
HashiCorp / Vault Enterprise
< 2.0.0 (from 0.11.2)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

discuss.hashicorp.com

Metrics

Fix available