CVE-2026-5807

HIGH 7.5

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

CWE	CWE-770
Vendor	hashicorp
Product	vault
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for hashicorp vault

Be the first to know when new high vulnerabilities affecting hashicorp vault are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

HashiCorp / Vault

0 < 2.0.0

HashiCorp / Vault Enterprise

0 < 2.0.0.

References

NVD ↗ CVE.org ↗ EPSS Data ↗

discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345