{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4525", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-20T17:47:40.835Z", "datePublished": "2026-04-17T03:00:47.561Z", "dateUpdated": "2026-04-17T17:22:41.255Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0.11.2", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "lessThan": "2.0.0", "status": "affected", "version": "0.11.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "value": "This issue was identified and reported by Oleh Konko of 1seal."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}], "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118: Collect and Analyze Information"}]}], "metrics": [{"cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:22:41.255Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"}], "source": {"advisory": "HCSEC-2026-08", "discovery": "EXTERNAL"}, "title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T13:19:26.452614Z", "id": "CVE-2026-4525", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T13:19:32.463Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4525", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T13:19:26.452614Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T13:19:29.212Z"}}], "cna": {"title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header", "source": {"advisory": "HCSEC-2026-08", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "This issue was identified and reported by Oleh Konko of 1seal."}], "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118: Collect and Analyze Information"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault", "versions": [{"status": "affected", "version": "0.11.2", "lessThan": "2.0.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault Enterprise", "versions": [{"status": "affected", "changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "version": "0.11.2", "lessThan": "2.0.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"}], "descriptions": [{"lang": "en", "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.", "supportingMedia": [{"type": "text/html", "value": "<p>If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:22:41.255Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4525", "state": "PUBLISHED", "dateUpdated": "2026-04-17T17:22:41.255Z", "dateReserved": "2026-03-20T17:47:40.835Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2026-04-17T03:00:47.561Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E12BA6D9-0FDE-4CA9-8D01-35CD029D15D2", "versionEndExcluding": "1.19.16", "versionStartIncluding": "0.11.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "48995D65-70D6-476A-ACD7-2A8F527D2975", "versionEndExcluding": "2.0.0", "versionStartIncluding": "0.11.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E2135CCF-F6D8-41AC-8D0C-F763F63974B4", "versionEndExcluding": "1.20.10", "versionStartIncluding": "1.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C8097BD2-0B19-4BA7-930E-93A5A89EC4AF", "versionEndExcluding": "1.21.5", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "id": "CVE-2026-4525", "lastModified": "2026-04-27T15:02:47.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-17T04:16:09.997", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Vault: Vault: Information disclosure of authentication tokens via incorrect header handling", "id": "2459107", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459107"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-201", "details": ["A flaw was found in Vault. When a Vault authentication mount is configured to pass through the \"Authorization\" header, and this header is used for authentication, Vault incorrectly forwards the sensitive Vault token to the authentication plugin backend. This can lead to the disclosure of authentication tokens to potentially untrusted or compromised backend plugins, enabling unauthorized access or further system compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4525", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-baremetal-installer-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-installer-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "mcg-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2026-04-17T03:00:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4525\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4525\nhttps://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.11.2,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault", "source": "cna", "vendor": "HashiCorp"}, "product": "vault", "vendor": "hashicorp"}, {"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.11.2,2.0.0)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.19.16"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.20.10"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.21.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault Enterprise", "source": "cna", "vendor": "HashiCorp"}, "product": "vault_enterprise", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-17T04:20:27.744411+00:00", "value": {"mitigation_remediation": ["Upgrade HashiCorp Vault to version 2.0.0 or newer, or to 1.21.5, 1.20.10, or 1.19.16 to receive the patch.", "If any Vault tokens may have been exposed, immediately rotate or revoke impacted tokens and generate new root tokens.", "Reconfigure all authentication backends to disable passthrough of the Authorization header and ensure safe handling of header data.", "Implement comprehensive input validation or header sanitization for any internal components that process Authorization headers to prevent future token leakage."], "summary": {"action": "Patch Now", "impact": "Vault Token Exposure"}, "threat_synthesis": {"affected_systems": "HashiCorp Vault and Vault Enterprise are affected. All releases older than 2.0.0, 1.21.5, 1.20.10, or 1.19.16 contain the vulnerability.", "description_and_impact": "Vault allows the Authorization header to be forwarded to authentication backends when the header is used for authenticating to Vault. The forwarded header contains the Vault token, which is mistakenly exposed to the auth plugin. This leakage of the token can enable an attacker to impersonate the user with the token's privileges. The weakness is an insecure handling of sensitive data (CWE-201), compromising confidentiality and potentially providing full access to Vault resources.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity. EPSS data is not available, but public exploitation is not documented and the issue is not listed in the CISA KEV catalog. The attack requires the ability to configure an auth mount to use the Authorization header passthrough, which is typically a privilege of internal users or an attacker who compromises the configuration process. An attacker who can achieve this can retrieve a Vault token and perform unauthorized actions."}}}}, "created": "2026-04-17T04:30:09.541843+00:00", "updated": "2026-04-17T04:30:09.624393+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$vault", "hashicorp$PRODUCT$vault_enterprise"]}