{"api_version":"1","generated_at":"2026-04-19T08:44:49+00:00","cve":"CVE-2026-4525","urls":{"html":"https://cve.report/CVE-2026-4525","api":"https://cve.report/api/cve/CVE-2026-4525.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-4525","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-4525"},"summary":{"title":"Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header","description":"If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.","state":"PUBLISHED","assigner":"HashiCorp","published_at":"2026-04-17 04:16:09","updated_at":"2026-04-17 15:08:25"},"problem_types":["CWE-201","CWE-201 CWE-201: Insertion of Sensitive Information Into Sent Data"],"metrics":[{"version":"3.1","source":"security@hashicorp.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344","name":"https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344","refsource":"security@hashicorp.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-4525","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4525","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"HashiCorp","product":"Vault","version":"affected 0.11.2 2.0.0 semver","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"]},{"source":"CNA","vendor":"HashiCorp","product":"Vault Enterprise","version":"affected 0.11.2 2.0.0 semver","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"4525","cve":"CVE-2026-4525","epss":"0.000150000","percentile":"0.029300000","score_date":"2026-04-18","updated_at":"2026-04-19 00:10:43"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-4525","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-17T13:19:26.452614Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-17T13:19:32.463Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"product":"Vault","repo":"https://github.com/hashicorp/vault","vendor":"HashiCorp","versions":[{"lessThan":"2.0.0","status":"affected","version":"0.11.2","versionType":"semver"}]},{"defaultStatus":"unaffected","platforms":["64 bit","32 bit","x86","ARM","MacOS","Windows","Linux"],"product":"Vault Enterprise","repo":"https://github.com/hashicorp/vault","vendor":"HashiCorp","versions":[{"changes":[{"at":"1.19.16","status":"unaffected"},{"at":"1.20.10","status":"unaffected"},{"at":"1.21.5","status":"unaffected"}],"lessThan":"2.0.0","status":"affected","version":"0.11.2","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}],"value":"If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}],"impacts":[{"capecId":"CAPEC-118","descriptions":[{"lang":"en","value":"CAPEC-118: Collect and Analyze Information"}]}],"metrics":[{"cvssV3_1":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-201","description":"CWE-201: Insertion of Sensitive Information Into Sent Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-17T03:00:47.561Z","orgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","shortName":"HashiCorp"},"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"}],"source":{"advisory":"HCSEC-2026-08","discovery":"EXTERNAL"},"title":"Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header"}},"cveMetadata":{"assignerOrgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","assignerShortName":"HashiCorp","cveId":"CVE-2026-4525","datePublished":"2026-04-17T03:00:47.561Z","dateReserved":"2026-03-20T17:47:40.835Z","dateUpdated":"2026-04-17T13:19:32.463Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-17 04:16:09","lastModifiedDate":"2026-04-17 15:08:25","problem_types":["CWE-201","CWE-201 CWE-201: Insertion of Sensitive Information Into Sent Data"],"metrics":{"cvssMetricV31":[{"source":"security@hashicorp.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"4525","Ordinal":"1","Title":"Vault Token Leaked to Backends via Authorization: Bearer Passthr","CVE":"CVE-2026-4525","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"4525","Ordinal":"1","NoteData":"If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.","Type":"Description","Title":"Vault Token Leaked to Backends via Authorization: Bearer Passthr"}]}}}