PT-2026-33400 · Hashicorp · Vault Community Edition+1
Oleh Konko
+1
·
Published
2026-04-17
·
Updated
2026-04-21
·
CVE-2026-5052
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
HashiCorp Vault Community Edition versions prior to 2.0.0
HashiCorp Vault Enterprise versions prior to 1.19.16
HashiCorp Vault Enterprise versions 1.19.16 through 1.20.9
HashiCorp Vault Enterprise versions 1.20.10 through 1.21.4
HashiCorp Vault Enterprise versions prior to 1.21.5
HashiCorp Vault Enterprise versions prior to 2.0.0
Description
The PKI engine ACME validation fails to reject local targets during the issuance of 'http-01' and 'tls-alpn-01' challenges. This flaw may result in requests being directed to targets within the local network, which could lead to information disclosure.
Recommendations
Update HashiCorp Vault Community Edition to version 2.0.0.
Update HashiCorp Vault Enterprise to version 1.19.16, 1.20.10, 1.21.5, or 2.0.0.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vault Community Edition
Vault Enterprise