Home

Description

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

PUBLISHED Reserved 2026-04-08 | Published 2026-04-17 | Updated 2026-04-17 | Assigner HashiCorp




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

Any version before 2.0.0
affected

Default status
unaffected

Any version before 2.0.0.
affected

Credits

This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp.

References

discuss.hashicorp.com/...n-generation-rekey-operations/77345

cve.org (CVE-2026-5807)

nvd.nist.gov (CVE-2026-5807)

Download JSON