CVE-2026-4525

HIGH

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

Title source: cna

Description

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

References (1)

https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 4.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-201

Status published

Products (5)

hashicorp/vault 0.11.2Go

hashicorp/vault 0.11.2 - 1.19.16

HashiCorp/Vault 0.11.2 - 2.0.0

hashicorp/vault 0.11.2 - 2.0.0

HashiCorp/Vault Enterprise 0.11.2 - 2.0.0

Published Apr 17, 2026

Tracked Since Apr 17, 2026