CVE-2026-3605

Published: Apr 17, 2026 Last Modified: Apr 17, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: high

Description

AI Translation Available

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

288

Authentication Bypass Using an Alternate Path or Channel

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

Technologies: Not Technology-Specific, Web Based

View CWE Details

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-me…

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-de…

CVE-2026-3605

Description

Authentication Bypass Using an Alternate Path or Channel

Common Consequences

Applicable Platforms

Iscriviti alla newsletter