Unauthorized user may delete secrets, causing service disruption

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

Unauthorized user may delete secrets, causing service disruption

CVE-2026-3605

Summary

A user with authorized access to some secrets in Vault may accidentally or intentionally delete other secrets they are not allowed to touch, causing disruptions to the service. This issue affects Vault versions prior to certain fixed versions. To protect your system, update to the latest fixed version of Vault.

Original title

Original description

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

nvd CVSS3.1 8.1

Vulnerability type

CWE-288 Authentication Bypass Using Alternate Path

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-del...

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026