CVE-2026-4525— Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4525
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
Source: NVD (National Vulnerability Database)
Vulnerability Description
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过发送数据的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
HashiCorp Vault 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
HashiCorp Vault是美国HashiCorp公司的一款私钥访问管理工具。 HashiCorp Vault 2.0.0之前版本、1.21.5之前版本、1.20.10之前版本和1.19.16之前版本存在安全漏洞,该漏洞源于Vault将令牌转发到身份验证插件后端。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| HashiCorp | Vault | 0.11.2 ~ 2.0.0 | - | |
| HashiCorp | Vault Enterprise | 0.11.2 ~ 2.0.0 | - |
II. Public POCs for CVE-2026-4525
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4525
请登录查看更多情报信息。
Same Patch Batch · HashiCorp · 2026-04-17 · 4 CVEs total
| CVE-2026-3605 | 8.1 HIGH | Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service |
| CVE-2026-5807 | 7.5 HIGH | Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Oper |
| CVE-2026-5052 | 5.3 MEDIUM | Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker- |
IV. Related Vulnerabilities
Same product: Vault
- CVE-2026-5807
Vault Vulnerable to Denial-of-Service via Unauthenticated Ro - CVE-2026-5052
Vault Vulnerable to Server-Side Request Forgery in ACME Chal - CVE-2026-3605
Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial - CVE-2025-12044
Vault Vulnerable to Denial of Service Due to Rate Limit Regr - CVE-2025-11621
Vault AWS auth method bypass due to AWS client cache
Same vendor: HashiCorp
- CVE-2026-7776
Boundary Workers Vulnerable to Denial of Service During TLS - CVE-2026-5807
Vault Vulnerable to Denial-of-Service via Unauthenticated Ro - CVE-2026-5052
Vault Vulnerable to Server-Side Request Forgery in ACME Chal - CVE-2026-3605
Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial - CVE-2026-4660
Go-getter may allow to arbitrary filesystem reads through gi
Same weakness: CWE-201
- CVE-2025-31978
HCL BigFix Service Management (SM) does not adequately sanit - CVE-2026-42379
WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposu - CVE-2026-5512
Improper authorization vulnerability in GitHub Enterprise Se - CVE-2026-40161
Tekton Pipelines: Git resolver API mode leaks system-configu - CVE-2026-5483
Odh-dashboard: odh dashboard kubernetes service account expo
V. Comments for CVE-2026-4525
No comments yet