Cyber Resilience

CVE-2026-4525

HighUpdated

Published: 17 April 2026

Published
17 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4525 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Hashicorp Vault. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4525 is a vulnerability in HashiCorp Vault where, if a Vault auth mount is configured to pass through the "Authorization" header and that header is used to authenticate to Vault, Vault forwards the Vault token to the auth plugin backend due to incorrect header sanitization. This issue affects Vault versions prior to the fixed releases of 2.0.0, 1.21.5, 1.20.10, and 1.19.16. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) under high attack complexity (AC:H) with no user interaction required. Exploitation requires a specifically configured auth mount that passes through the Authorization header, allowing the attacker to trigger authentication flows that cause Vault to forward a valid Vault token to the auth plugin backend, potentially exposing sensitive tokens.

HashiCorp's security advisory (HCSEC-2026-07) details the issue and recommends upgrading to Vault 2.0.0, 1.21.5, 1.20.10, or 1.19.16 to mitigate the vulnerability by properly sanitizing headers and preventing token forwarding. Additional details are available at https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability in public-facing HashiCorp Vault enables remote exploitation (AV:N) leading to exposure of authentication tokens via header mishandling, directly facilitating theft of application access tokens.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5052Same product: Hashicorp Vault
CVE-2025-6000Same product: Hashicorp Vault
CVE-2026-3605Same product: Hashicorp Vault
CVE-2025-11621Same product: Hashicorp Vault
CVE-2026-5807Same product: Hashicorp Vault
CVE-2025-0377Same vendor: Hashicorp
CVE-2024-13254Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2023-38013Shared CWE-201
CVE-2025-22303Shared CWE-201

Affected Assets

hashicorp
vault
0.11.2 — 1.19.16 · 0.11.2 — 2.0.0 · 1.20.0 — 1.20.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by applying vendor patches that correct the header sanitization flaw and prevent Vault token forwarding to auth plugin backends.

prevent

Enforces secure configuration settings for Vault auth mounts to prohibit passthrough of the sensitive Authorization header, eliminating the prerequisite for exploitation.

detect

Monitors for inappropriate disclosure of sensitive Vault tokens to auth plugin backends via audit logs or network flows.

References