Policy Bypass Vulnerability in HashiCorp Vault Products
CVE-2026-3605

8.1HIGH

Key Information:

Vendor: Hashicorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-3605?

An authenticated user with access to the kvv2 path may exploit a flaw in access policies using glob patterns to inadvertently delete secrets they lack permissions to manage. This could result in disruptions of service due to the inability to access critical secret metadata, although the vulnerability does not permit unauthorized reading of secrets across namespaces.

Affected Version(s)

Vault 64 bit 0.10.0 < 2.0.0

Vault Enterprise 64 bit 0.10.0 < 2.0.0

References

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 5, 2026

CVE-2026-3605 Data

JSON

Hashicorp

What is CVE-2026-3605?

Affected Version(s)

References

CVSS V3.1

Timeline