Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

HashiCorp — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting HashiCorp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HashiCorp develops infrastructure automation software, primarily known for Terraform, Vault, and Consul, which enable organizations to provision and secure cloud infrastructure. The company’s products have historically been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integration points or misconfigurations in how these tools interact with underlying systems. With 89 CVEs currently on record, the security landscape for HashiCorp tools reflects the inherent risks of widely adopted, high-privilege infrastructure management software. While no single catastrophic incident has defined the brand’s history, the volume of disclosed flaws highlights the challenges of maintaining security across a diverse ecosystem of plugins and integrations. Users must rigorously patch these tools to mitigate risks associated with unauthorized access or data exfiltration, ensuring that the powerful automation capabilities do not become vectors for systemic compromise.

Found 37 results / 89Clear Filters
Top products by HashiCorp: Vault Nomad Consul Shared library Boundary Vault Enterprise Tooling Terraform Enterprise Nomad Enterprise Vagrant go-getter Terraform
CVE IDTitleCVSSSeverityPublished
CVE-2026-5807 Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations — VaultCWE-770 7.5 High2026-04-17
CVE-2026-4525 Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header — VaultCWE-201 7.5 High2026-04-17
CVE-2026-5052 Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS — VaultCWE-918 5.3 Medium2026-04-17
CVE-2026-3605 Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service — VaultCWE-288 8.1 High2026-04-17
CVE-2025-12044 Vault Vulnerable to Denial of Service Due to Rate Limit Regression — VaultCWE-770 7.5 High2025-10-23
CVE-2025-11621 Vault AWS auth method bypass due to AWS client cache — VaultCWE-288 8.1 High2025-10-23
CVE-2025-6203 Vault unauthenticated denial of service through complex json payload — VaultCWE-770 7.5 High2025-08-28
CVE-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias — VaultCWE-156 6.5 Medium2025-08-06
CVE-2025-6015 Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse — VaultCWE-307 5.7 Medium2025-08-01
CVE-2025-6011 Timing Side-Channel in Vault’s Userpass Auth Method — VaultCWE-203 3.7 Low2025-08-01
CVE-2025-6004 Vault Userpass and LDAP User Lockout Bypass — VaultCWE-307 5.3 Medium2025-08-01
CVE-2025-6037 Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates — VaultCWE-295 6.8 Medium2025-08-01
CVE-2025-6014 Vault TOTP Secrets Engine Code Reuse — VaultCWE-156 6.5 Medium2025-08-01
CVE-2025-6000 Arbitrary Remote Code Execution via Plugin Catalog Abuse — VaultCWE-94 9.1 Critical2025-08-01
CVE-2025-5999 Vault Root Namespace Operator May Elevate Token Privileges — VaultCWE-266 7.2 High2025-08-01
CVE-2025-4656 Vault Vulnerable to Recovery Key Cancellation Denial of Service — VaultCWE-1088 3.1 Low2025-06-25
CVE-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login — VaultCWE-863 6.6 Medium2025-05-02
CVE-2025-4166 Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin — VaultCWE-209 4.5 Medium2025-05-02
CVE-2024-8185 Vault Vulnerable to Denial of Service When Processing Raft Join Requests — VaultCWE-636 7.5 High2024-10-31
CVE-2024-9180 Vault Operators in Root Namespace May Elevate Their Privileges — VaultCWE-266 7.2 High2024-10-10
CVE-2024-7594 Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default — VaultCWE-732 7.5 High2024-09-26
CVE-2024-8365 Vault Leaks AppRole Client Tokens And Accessor in Audit Log — VaultCWE-532 6.2 Medium2024-09-02
CVE-2024-6468 Vault Vulnerable to Denial of Service When Setting a Proxy Protocol Behavior — VaultCWE-703 7.5 High2024-07-11
CVE-2024-5798 Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims — VaultCWE-287 2.6 Low2024-06-12
CVE-2024-2660 Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses — VaultCWE-636 6.4 Medium2024-04-04
CVE-2024-2048 Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates — VaultCWE-295 8.1 High2024-03-04
CVE-2024-0831 Vault May Expose Sensitive Information When Configuring An Audit Log Device — VaultCWE-532 4.5 Medium2024-02-01
CVE-2023-6337 Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests — VaultCWE-770 7.5 High2023-12-08
CVE-2023-5954 Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption — VaultCWE-401 5.9 Medium2023-11-09
CVE-2023-5077 Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets — VaultCWE-266 7.6 High2023-09-28

This page lists every published CVE security advisory associated with HashiCorp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.