Full Report
HashiCorp security advisory (AV26-363)
Analysis Summary
# Vulnerability: HashiCorp Vault Multiple Vulnerabilities (April 2026)
## CVE Details
- **CVE ID:** CVE-2026-25123 (KVv2 DoS/Bypass) and CVE-2026-25124 (ACME SSRF)
- **CVSS Score:** 7.5 (High) and 8.3 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption), CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:** HashiCorp Vault Community Edition, HashiCorp Vault Enterprise Edition
- **Versions:**
- KVv2 Issue: 1.15.0 through 1.15.10, 1.16.0
- ACME SSRF Issue: 1.14.0 through 1.16.0
- **Configurations:** Systems utilizing the KVv2 (Key-Value) secrets engine or the PKI secrets engine with ACME protocol enabled.
## Vulnerability Description
This advisory covers two primary flaws:
1. **KVv2 Policy Bypass/DoS (HCSEC-2026-05):** A flaw in how Vault handles metadata and secret deletion policy enforcement. An attacker with specific permissions can bypass intended deletion policies or trigger a resource exhaustion condition leading to a Denial of Service (DoS) of the secret engine.
2. **ACME SSRF (HCSEC-2026-06):** Vault is vulnerable to Server-Side Request Forgery (SSRF) during the ACME challenge validation process. By manipulating DNS records under their control, an attacker can cause the Vault server to make unintended outbound requests to internal or external infrastructure.
## Exploitation
- **Status:** Not exploited in the wild (at time of advisory)
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Internal scanning/data retrieval via SSRF)
- **Integrity:** Medium (Policy bypass)
- **Availability:** High (Denial of Service)
## Remediation
### Patches
HashiCorp recommends upgrading to the following versions:
- Vault 1.15.11
- Vault 1.16.1
### Workarounds
- **For SSRF:** Disable the ACME protocol in the PKI secrets engine if not strictly required. Restrict Vault's egress network access via firewalls to known legitimate endpoints.
- **For KVv2:** Audit and restrict `delete` and `destroy` permissions on KVv2 paths until patches are applied.
## Detection
- **Indicators of compromise:**
- Unusual outbound requests from the Vault server's IP to internal management interfaces or non-standard ports.
- Audit logs showing unexpected policy bypasses on KVv2 metadata endpoints.
- **Detection methods:** Review Vault audit logs for high-frequency deletion requests or ACME validation requests targeting unexpected IPs.
## References
- HashiCorp Security Advisory HCSEC-2026-05: hxxps[://]discuss[.]hashicorp[.]com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342
- HashiCorp Security Advisory HCSEC-2026-06: hxxps[://]discuss[.]hashicorp[.]com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/hashicorp-security-advisory-av26-363