Audit Device Validation Bypass in HashiCorp Vault
CVE-2026-5051
4.4MEDIUM
What is CVE-2026-5051?
A vulnerability has been identified in HashiCorp Vault and Vault Enterprise versions prior to 2.0.1, where the audit device validation logic fails to consistently enforce protections on the plugin directory when utilizing the legacy file audit path option. This inconsistency may allow unauthorized access to audit logs, potentially exposing sensitive information.
Affected Version(s)
Vault 64 bit 1.20.1 < 2.0.1
Vault Enterprise 64 bit 1.19.0 < 2.0.1
References
CVSS V3.1
Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was identified and reported by Vipin Chaudhary.