Audit Device Validation Bypass in HashiCorp Vault
CVE-2026-5051

4.4MEDIUM

Key Information:

Vendor

Hashicorp

Vendor
CVE Published:
1 July 2026

What is CVE-2026-5051?

A vulnerability has been identified in HashiCorp Vault and Vault Enterprise versions prior to 2.0.1, where the audit device validation logic fails to consistently enforce protections on the plugin directory when utilizing the legacy file audit path option. This inconsistency may allow unauthorized access to audit logs, potentially exposing sensitive information.

Affected Version(s)

Vault 64 bit 1.20.1 < 2.0.1

Vault Enterprise 64 bit 1.19.0 < 2.0.1

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was identified and reported by Vipin Chaudhary.
.