CVE-2026-4525
Published: 17 April 2026
Summary
CVE-2026-4525 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Hashicorp Vault. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by applying vendor patches that correct the header sanitization flaw and prevent Vault token forwarding to auth plugin backends.
Enforces secure configuration settings for Vault auth mounts to prohibit passthrough of the sensitive Authorization header, eliminating the prerequisite for exploitation.
Monitors for inappropriate disclosure of sensitive Vault tokens to auth plugin backends via audit logs or network flows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing HashiCorp Vault enables remote exploitation (AV:N) leading to exposure of authentication tokens via header mishandling, directly facilitating theft of application access tokens.
NVD Description
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Deeper analysisAI
CVE-2026-4525 is a vulnerability in HashiCorp Vault where, if a Vault auth mount is configured to pass through the "Authorization" header and that header is used to authenticate to Vault, Vault forwards the Vault token to the auth plugin backend due to incorrect header sanitization. This issue affects Vault versions prior to the fixed releases of 2.0.0, 1.21.5, 1.20.10, and 1.19.16. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) under high attack complexity (AC:H) with no user interaction required. Exploitation requires a specifically configured auth mount that passes through the Authorization header, allowing the attacker to trigger authentication flows that cause Vault to forward a valid Vault token to the auth plugin backend, potentially exposing sensitive tokens.
HashiCorp's security advisory (HCSEC-2026-07) details the issue and recommends upgrading to Vault 2.0.0, 1.21.5, 1.20.10, or 1.19.16 to mitigate the vulnerability by properly sanitizing headers and preventing token forwarding. Additional details are available at https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344.
Details
- CWE(s)