CVE-2026-3605

HIGH 8.1

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

2th

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CWE	CWE-288
Vendor	hashicorp
Product	vault
Published	Apr 17, 2026
Last Updated	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for hashicorp vault

Be the first to know when new high vulnerabilities affecting hashicorp vault are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

HashiCorp / Vault

0.10.0 < 2.0.0

HashiCorp / Vault Enterprise

0.10.0 < 2.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342

Credits

This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program.