Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-5807PATCHED

hashi · vault

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Description

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Affected Products

Vendor	Product	Versions
hashi	vault	0, 0

References

https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345

Related News (1 articles)

Tier C

VulDB13h ago

CVE-2026-5807 | HashiCorp Vault/Vault Enterprise up to 1.x Token Generation allocation of resources

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.0.02.0.0.

CWECWE-770

PublishedApr 17, 2026

Last enriched12h agov2

Tags

denial-of-service

Trending Score35

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-4525EXP

Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

HIGHCVE-2026-3605EXP

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

MEDIUMCVE-2026-5052

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

Vault KVv2 Metadata and Secret Deletion Policy Bypass and Server-Side Request Forgery Vulnerabilities

HIGHCVE-2026-4660

Go-getter may allow to arbitrary filesystem reads through git operations

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 17, 2026

Discovered by ZDM

Apr 17, 2026

Updated: affectedVersions, severity, tags

Apr 17, 2026

Patch Available

Apr 17, 2026

Version History

v2

Last enriched 12h ago

v2Tier C12h ago

Updated affected versions to include 1.x, changed severity to MEDIUM, and noted that no exploit exists.

affectedVersionsseveritytags

via VulDB

v113h ago

Initial creation