VDB

CVE-2026-3605

CVE-2026-3605 PUBLISHED CVSS 8.100000381469727 HIGH

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

EPSS 0.02% · 5.9th percentile

Risk Scores

CVSS v3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score
0.02%
5.9th percentile

Affected Products

VendorProductVersions
HashiCorpVault0.10.0
HashiCorpVault Enterprise0.10.0

Timeline

  • Apr 17, 2026 CVE Published
  • Apr 17, 2026 CVE Updated
  • Apr 17, 2026 PoC Published
  • Apr 17, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›