CVE Details
Basic Information
| Title | Vault Userpass and LDAP User Lockout Bypass |
|---|---|
| Type | cve |
| Published | 2025-08-01T17:56:00.780Z |
| Modified | 2025-08-01T19:11:52.729Z |
Product Information
| Vendor | HashiCorp |
|---|---|
| Product | Vault |
| Version | 1.13.0 |
CVSS Information
| Base Score | 5.3 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
AI Analysis
| AI Description | A vulnerability in Vault allows attackers to bypass the user lockout mechanism for Userpass and LDAP authentication, potentially leading to brute-force attacks. This could compromise account security by allowing unlimited login attempts. The issue has been fixed in several versions of Vault Community and Enterprise editions. |
|---|---|
| AI Severity | Medium |
| AI Vendor | HashiCorp |
| AI Product | Vault |
| AI Version | 1.13.0 |
Affected Products
- HashiCorp Vault 1.13.0
- HashiCorp Vault Enterprise 1.13.0
Additional Information
| CWE List | CWE-307 |
|---|---|
| Source | HashiCorp |
Description
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.