{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-3605","assignerOrgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","state":"PUBLISHED","assignerShortName":"HashiCorp","dateReserved":"2026-03-05T16:37:23.520Z","datePublished":"2026-04-17T02:44:42.032Z","dateUpdated":"2026-06-30T12:09:24.426Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"product":"Vault","repo":"https://github.com/hashicorp/vault","vendor":"HashiCorp","versions":[{"lessThan":"2.0.0","status":"affected","version":"0.10.0","versionType":"semver"}]},{"defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"product":"Vault Enterprise","repo":"https://github.com/hashicorp/vault","vendor":"HashiCorp","versions":[{"changes":[{"at":"1.19.16","status":"unaffected"},{"at":"1.20.10","status":"unaffected"},{"at":"1.21.5","status":"unaffected"}],"lessThan":"2.0.0","status":"affected","version":"0.10.0","versionType":"semver"}]}],"credits":[{"lang":"en","value":"This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}],"value":"An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}],"impacts":[{"capecId":"CAPEC-126","descriptions":[{"lang":"en","value":"CAPEC-126: Path Traversal"}]}],"metrics":[{"cvssV3_1":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288: Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","shortName":"HashiCorp","dateUpdated":"2026-04-17T17:57:55.431Z"},"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"}],"source":{"advisory":"HCSEC-2026-05","discovery":"EXTERNAL"},"title":"Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service"},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-17T13:20:23.015074Z","id":"CVE-2026-3605","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-17T13:20:28.557Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"affected","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"}],"datePublic":"2026-04-17T02:44:42.032Z","descriptions":[{"lang":"en","value":"A flaw was found in Vault. An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This vulnerability can lead to a denial-of-service by allowing the deletion of critical data. It does not permit a malicious user to delete secrets across namespaces or read any secret data."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-3605"},{"name":"RHBZ#2459105","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459105"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3605.json"}],"timeline":[{"lang":"en","time":"2026-04-17T04:01:18.559Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-17T02:44:42.032Z","value":"Made public."}],"title":"Vault: Vault: Denial of Service due to unauthorized secret deletion via policy bypass","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:09:24.426Z"}}]}}