PatchSiren

HashiCorp CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Hashicorp CVE published 2026-04-17

CVE-2026-4525

CVE-2026-4525 is a high-severity vulnerability in Hashicorp Vault that may expose tokens to auth plugins due to incorrect header sanitization. The vulnerability has a CVSS score of 7.5 and is considered HIGH. It was published on April 17, 2026, and modified on June 30, 2026. The vulnerability affects Hashicorp Vault versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Hashicorp has released fixed versio [truncated]

HIGH Hashicorp CVE published 2026-04-17

CVE-2026-3605

CVE-2026-3605 is a high-severity vulnerability in Hashicorp Vault, allowing authenticated users to delete secrets they are not authorized to access, resulting in a denial-of-service. This vulnerability, with a CVSS score of 8.1, was fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. The vulnerability did not allow malicious users to delete secrets across names [truncated]

HIGH HashiCorp CVE published 2026-04-09

CVE-2026-4660

CVE-2026-4660 is a vulnerability in HashiCorp's go-getter library up to version 1.8.5 that may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. The vulnerability is fixed in go-getter version 1.8.6. This vulnerability does not affect the go-getter/v2 branch and package. The CVSS score for this vulnerability is 7.5, indicating a high severity. T [truncated]