Primary

Context

HashiCorp Vault KV V2 Secret Deletion Policy Bypass Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in HashiCorp Vault's KV V2 secrets engine, affecting both the Community and Enterprise editions. An authenticated user with access to a KV V2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This issue arises from a policy deletion oversight, allowing unauthorized secret deletions, which could disrupt services relying on those secrets. The vulnerability does not permit deletion of secrets across namespaces or access to secret data.

Impact

Exploitation of this vulnerability can lead to unauthorized deletion of secrets, causing potential disruptions in applications or services that rely on those secrets.

Remediation

Users are advised to upgrade to Vault Community Edition 2.0.0 or Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, or 1.19.16.

Added: Apr 17, 2026, 4:21 AM

Updated: Apr 17, 2026, 4:21 AM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

1.3

exploitability

5.2

remediation

7.7

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

1.3

exploitability

5.2

remediation

7.7

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HashiCorp Vault KV V2 Secret Deletion Policy Bypass Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

HashiCorp Vault

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating