PatchSiren cyber security CVE debrief
CVE-2026-3605 Hashicorp CVE debrief
CVE-2026-3605 is a high-severity vulnerability in Hashicorp Vault, allowing authenticated users to delete secrets they are not authorized to access, resulting in a denial-of-service. This vulnerability, with a CVSS score of 8.1, was fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. The vulnerability did not allow malicious users to delete secrets across namespaces or read secret data. Users with access to a kvv2 path through a policy containing a glob may be affected. Hashicorp has provided a vendor advisory for mitigation.
- Vendor
- Hashicorp
- Product
- Vault
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-17
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-17
- Advisory updated
- 2026-06-30
Who should care
Hashicorp Vault users, administrators, and security teams should be aware of this vulnerability. Affected versions include Vault Enterprise 1.19.0 to 1.19.16, 1.20.0 to 1.20.10, and 1.21.0 to 1.21.5, as well as Vault Community Edition prior to 2.0.0. Users should check their inventory and apply patches or mitigations as recommended by Hashicorp.
Technical summary
CVE-2026-3605 is a vulnerability in Hashicorp Vault's kvv2 path handling. An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This results in a denial-of-service, with a CVSS score of 8.1 and HIGH severity. The vulnerability was publicly disclosed on April 17, 2026, and updated on June 30, 2026. Affected CPEs include cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* for versions 0.10.0 to 1.19.16, 1.20.0 to 1.20.10, and 1.21.0 to 1.21.5.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it allows for denial-of-service attacks. Users should prioritize updating to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Additionally, reviewing and restricting access to kvv2 paths and ensuring proper policy configurations can help reduce risk.
Recommended defensive actions
- Update to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
- Review and restrict access to kvv2 paths.
- Ensure proper policy configurations to prevent unauthorized access.
- Monitor for suspicious activity related to kvv2 path deletions.
- Consider compensating controls, such as additional logging and monitoring.
Evidence notes
The CVE record and NVD detail provide official information on the vulnerability. Hashicorp's vendor advisory offers mitigation guidance. Red Hat has also provided references for affected systems. The vulnerability's CVSS score and severity are based on the CVSS:3.1 vector provided.
Official resources
-
CVE-2026-3605 CVE record
CVE.org
-
CVE-2026-3605 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.