CVE-2026-4525

HIGH 7.5

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CWE	CWE-201
Vendor	hashicorp
Product	vault
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for hashicorp vault

Be the first to know when new high vulnerabilities affecting hashicorp vault are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

HashiCorp / Vault

0.11.2 < 2.0.0

HashiCorp / Vault Enterprise

0.11.2 < 2.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344