{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5807", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-04-08T14:43:57.845Z", "datePublished": "2026-04-17T03:22:13.816Z", "dateUpdated": "2026-04-17T03:22:13.816Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0.", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.</p><br/>"}], "value": "Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0."}], "impacts": [{"capecId": "CAPEC-125", "descriptions": [{"lang": "en", "value": "CAPEC-125: Flooding"}]}], "metrics": [{"cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T03:22:13.816Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"}], "source": {"advisory": "HCSEC-2026-08", "discovery": "EXTERNAL"}, "title": "Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0."}], "id": "CVE-2026-5807", "lastModified": "2026-04-17T05:16:19.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-17T05:16:19.303", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T05:53:04.545576+00:00", "value": {"mitigation_remediation": ["Upgrade to Vault Community Edition\u00a02.0.0 or later, or Vault Enterprise\u00a02.0.0 or later, to apply the vendor\u2011provided fix.", "Reconfigure network or firewall rules to restrict unauthenticated access to the Vault API, ensuring that only trusted hosts can communicate with the server.", "Enable monitoring and alerts on root token and rekey initiation events to detect abnormal activity and intervene before legitimate operators are blocked."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of HashiCorp Vault Community Edition and Vault Enterprise that are prior to version\u00a02.0.0. Operators running any earlier release are subject to the denial\u2011of\u2011service attack, whereas deployments on 2.0.0 or later contain the fix.", "description_and_impact": "Vault is vulnerable to a denial\u2011of\u2011service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in\u2011progress operation slot. This forces legitimate operators to wait until the operation completes or times out, effectively blocking critical administrative workflows that rely on root access. The underlying weakness is a resource exhaustion flaw (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 7.5 classifies the flaw as high severity, and the absence of authentication requirements means an attacker only needs network access to the Vault API. The exploitability is straightforward: by repeatedly issuing root token or rekey commands, an unauthenticated attacker can monopolize the single operation slot. Current EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the high CVSS score coupled with the lack of safeguards makes it a significant threat to operational availability."}}}}, "created": "2026-04-17T06:00:09.272938+00:00", "updated": "2026-04-17T06:00:09.272949+00:00", "vendors": []}