Timeline
- Aug 1, 2025 CVE Published
**Bulletin ID:** HCSEC-2025-13 **Affected Products / Versions:** Vault Community Edition from 0.10.4 up to 1.19.5, fixed in 1.20.0. Vault Enterprise from 0.10.4 up to 1.19.5, 1.18.10, 1.16.21, fixed in 1.20.0, 1.19.6, 1.18.11 and 1.16.22. **Publication Date:** August 1, 2025 **Summary** A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. This vulnerability, identified as CVE-2025-5999, is fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22. **Background** Vault’s [identity secrets engine](https://developer.hashicorp.com/vault/docs/secrets/identity) can map a single Vault client (“entity”) to multiple authentication methods to manage all Vault clients for authentication and authorization. Write access to Vault’s identity API endpoint allows operators to assign any existing (non-root) policies to entities. Vault [namespaces](https://developer.hashicorp.com/vault/docs/enterprise/namespaces) are a mechanism for providing tenant isolation and aiding in the long-term management of a Vault instance. [Administrative namespaces](https://developer.hashicorp.com/vault/docs/enterprise/namespaces/create-admin-namespace) grant a given namespace access to a pre-defined subset of privileged backend system endpoints in Vault. **Details** Due to the normalisation of policy names and incomplete input validation, a privileged Vault operator could potentially escalate an entity’s issued, valid token privileges to Vault’s root policy for the remainder of the token’s validity period. Due to additional validation, the vulnerability does not affect entities in namespaces (including administrative namespaces) but only affects root namespace entities. This issue does not affect HCP Vault Dedicated due to its use of administrative namespaces. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.0 or Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. Alternatively, [Sentinel EGP policies](https://developer.hashicorp.com/vault/tutorials/policies/sentinel) can be used. If an entity was assigned the root policy, requests in Vault audit logs will contain “root” inside the “identity_policies” array. **Acknowledgement** This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*