Cyber Resilience

CVE-2026-3605

HighUpdated

Published: 17 April 2026

Published
17 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0030 21.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3605 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Hashicorp Vault. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3605 is a policy bypass vulnerability in HashiCorp Vault's KV v2 secrets engine. An authenticated user with access to a kvv2 path through a policy containing a glob pattern may delete secrets they were not authorized to read or write, resulting in a denial-of-service condition. The issue affects Vault Community Edition and Vault Enterprise versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16, and is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), linked to CWE-288.

An attacker requires low privileges as an authenticated user with policy-granted access to a kvv2 path via glob patterns. Exploitation allows deletion of unauthorized secrets within the same namespace, causing denial-of-service by rendering those secrets unavailable. The vulnerability does not permit cross-namespace deletions or reading of secret data.

HashiCorp's security advisory details the fix in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Practitioners should upgrade to these patched versions to mitigate the issue, as described in the advisory at https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user…

more

to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

The policy bypass vulnerability directly enables unauthorized deletion of secrets in the KV v2 engine, which maps to data destruction causing denial-of-service impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11621Same product: Hashicorp Vault
CVE-2026-5052Same product: Hashicorp Vault
CVE-2026-4525Same product: Hashicorp Vault
CVE-2025-6000Same product: Hashicorp Vault
CVE-2026-5807Same product: Hashicorp Vault
CVE-2025-0377Same vendor: Hashicorp
CVE-2025-1293Same vendor: Hashicorp
CVE-2025-0937Same vendor: Hashicorp
CVE-2026-2096Shared CWE-288
CVE-2026-44574Shared CWE-288

Affected Assets

hashicorp
vault
0.10.0 — 1.19.16 · 0.10.0 — 2.0.0 · 1.20.0 — 1.20.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the specific flaw in Vault KV v2 glob policy handling through vendor patches.

prevent

Enforces approved authorizations for access, directly addressing the policy bypass that allowed unauthorized deletions in the same namespace.

prevent

Limits policy permissions to least privilege, reducing risk from broad glob patterns that enable the unauthorized delete exploit.

References