Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Basic Information

ID CVE-2026-4525

Source HashiCorp

Published Apr 17, 2026 at 03:00

Affected Product

Vendor HashiCorp

Product Vault

Version 0.11.2

Affected Versions HashiCorp Vault 0.11.2
HashiCorp Vault Enterprise 0.11.2

CWE Classification

CWE-201

References

discuss.hashicorp.com /t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344

{
    "lastseen": "",
    "description": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.",
    "published": "2026-04-17T03:00:47.561Z",
    "modified": "2026-04-17T03:00:47.561Z",
    "type": "cve",
    "title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header",
    "source": "HashiCorp",
    "references": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344",
    "id": "CVE-2026-4525",
    "bulletinFamily": "",
    "cwe": [
        "CWE-201"
    ],
    "cvelist": null,
    "sourceData": "HashiCorp Vault 0.11.2\nHashiCorp Vault Enterprise 0.11.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Vault",
    "version": "0.11.2",
    "vendor": "HashiCorp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header_CVE-2026-4525