CVE-2026-5052

MEDIUM

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

Title source: cna

Description

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

References (1)

https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (5)

hashicorp/vault 1.14.0Go

hashicorp/vault 1.14.0 - 1.19.16

hashicorp/vault 1.14.0 - 2.0.0

HashiCorp/Vault 1.15.0 - 2.0.0

HashiCorp/Vault Enterprise 1.15.0 - 2.0.0

Published Apr 17, 2026

Tracked Since Apr 17, 2026