PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3605 Hashicorp CVE debrief

CVE-2026-3605 is a high-severity vulnerability in Hashicorp Vault, allowing authenticated users to delete secrets they are not authorized to access, resulting in a denial-of-service. This vulnerability, with a CVSS score of 8.1, was fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. The vulnerability did not allow malicious users to delete secrets across namespaces or read secret data. Users with access to a kvv2 path through a policy containing a glob may be affected. Hashicorp has provided a vendor advisory for mitigation.

Vendor
Hashicorp
Product
Vault
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-17
Original CVE updated
2026-06-30
Advisory published
2026-04-17
Advisory updated
2026-06-30

Who should care

Hashicorp Vault users, administrators, and security teams should be aware of this vulnerability. Affected versions include Vault Enterprise 1.19.0 to 1.19.16, 1.20.0 to 1.20.10, and 1.21.0 to 1.21.5, as well as Vault Community Edition prior to 2.0.0. Users should check their inventory and apply patches or mitigations as recommended by Hashicorp.

Technical summary

CVE-2026-3605 is a vulnerability in Hashicorp Vault's kvv2 path handling. An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This results in a denial-of-service, with a CVSS score of 8.1 and HIGH severity. The vulnerability was publicly disclosed on April 17, 2026, and updated on June 30, 2026. Affected CPEs include cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* for versions 0.10.0 to 1.19.16, 1.20.0 to 1.20.10, and 1.21.0 to 1.21.5.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it allows for denial-of-service attacks. Users should prioritize updating to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Additionally, reviewing and restricting access to kvv2 paths and ensuring proper policy configurations can help reduce risk.

Recommended defensive actions

  • Update to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
  • Review and restrict access to kvv2 paths.
  • Ensure proper policy configurations to prevent unauthorized access.
  • Monitor for suspicious activity related to kvv2 path deletions.
  • Consider compensating controls, such as additional logging and monitoring.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. Hashicorp's vendor advisory offers mitigation guidance. Red Hat has also provided references for affected systems. The vulnerability's CVSS score and severity are based on the CVSS:3.1 vector provided.

Official resources

This article is AI-assisted and based on the supplied source corpus.