Vault: Unauthenticated attackers can block root token operations

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Vault: Unauthenticated attackers can block root token operations

CVE-2026-5807

Summary

An attacker can repeatedly initiate or cancel root token generation or rekey operations, blocking legitimate users from completing these tasks. This can disrupt the operation of Vault. Update to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0 to fix the issue.

Original title

Original description

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

nvd CVSS3.1 7.5

Vulnerability type

CWE-770 Allocation of Resources Without Limits

https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-serv...

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026