CVE-2026-3605 HIGH

CVE-2026-3605: Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

Vendor Hashicorp
Product Vault
Weakness CWE-288
Published April 17, 2026
Last update June 30, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Key dates

02Disclosure timeline

April 17, 2026 CVE published
June 30, 2026 Record updated