Zero Day MonitorZDM

← Back to list

8.1

CVE-2026-3605EXPLOITEDPATCHED

hashi · vault

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

Description

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Affected Products

Vendor	Product	Versions
hashi	vault	0.10.0, 0.10.0

References

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342

Related News (1 articles)

Tier C

VulDB14h ago

CVE-2026-3605 | HashiCorp Vault/Vault Enterprise up to 1.21.0 Policy authentication bypass

→ No new info (linked only)

CVSS 3.18.1 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.0.0

CWECWE-288

PublishedApr 17, 2026

Last enriched14h agov2

Trending Score48

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-4525EXP

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

MEDIUMCVE-2026-5052

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

HIGHCVE-2026-5807

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Vault KVv2 Metadata and Secret Deletion Policy Bypass and Server-Side Request Forgery Vulnerabilities

HIGHCVE-2026-4660

Go-getter may allow to arbitrary filesystem reads through git operations

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 17, 2026

Discovered by ZDM

Apr 17, 2026

Updated: severity, activelyExploited

Apr 17, 2026

Actively Exploited

Apr 17, 2026

Patch Available

Apr 17, 2026

Version History

v2

Last enriched 14h ago

v2Tier C14h ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v115h ago

Initial creation