CVE-2026-3605
Published: 17 April 2026
Summary
CVE-2026-3605 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Hashicorp Vault. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the specific flaw in Vault KV v2 glob policy handling through vendor patches.
Enforces approved authorizations for access, directly addressing the policy bypass that allowed unauthorized deletions in the same namespace.
Limits policy permissions to least privilege, reducing risk from broad glob patterns that enable the unauthorized delete exploit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The policy bypass vulnerability directly enables unauthorized deletion of secrets in the KV v2 engine, which maps to data destruction causing denial-of-service impact.
NVD Description
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user…
more
to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Deeper analysisAI
CVE-2026-3605 is a policy bypass vulnerability in HashiCorp Vault's KV v2 secrets engine. An authenticated user with access to a kvv2 path through a policy containing a glob pattern may delete secrets they were not authorized to read or write, resulting in a denial-of-service condition. The issue affects Vault Community Edition and Vault Enterprise versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16, and is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), linked to CWE-288.
An attacker requires low privileges as an authenticated user with policy-granted access to a kvv2 path via glob patterns. Exploitation allows deletion of unauthorized secrets within the same namespace, causing denial-of-service by rendering those secrets unavailable. The vulnerability does not permit cross-namespace deletions or reading of secret data.
HashiCorp's security advisory details the fix in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Practitioners should upgrade to these patched versions to mitigate the issue, as described in the advisory at https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342.
Details
- CWE(s)