CVE-2020-16251
Description
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp Vault with GCP GCE auth method in versions 0.8.3 to 1.5.0 allows authentication bypass; fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
Vulnerability
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, contain a vulnerability that can lead to authentication bypass [2]. The root cause lies in the handling of GCE identity tokens, allowing an attacker to impersonate a legitimate instance.
Exploitation
To exploit this vulnerability, an attacker needs network access to a Vault instance that has the GCP GCE auth method enabled. The attacker can craft a malicious identity token that bypasses authentication checks, gaining access without proper credentials.
Impact
Successful exploitation allows an attacker to authenticate as any GCE instance, potentially gaining unauthorized access to secrets and other sensitive data managed by Vault.
Mitigation
The vulnerability is fixed in Vault versions 1.2.5, 1.3.8, 1.4.4, and 1.5.1 [3]. Users should upgrade to these versions or later. No workaround is available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 0.8.3, < 1.2.5 | 1.2.5 |
github.com/hashicorp/vaultGo | >= 1.3.0, < 1.3.8 | 1.3.8 |
github.com/hashicorp/vaultGo | >= 1.4.0, < 1.4.4 | 1.4.4 |
github.com/hashicorp/vaultGo | >= 1.5.0, < 1.5.1 | 1.5.1 |
Affected products
3- HashiCorp/Vaultdescription
- osv-coords2 versions
>= 0.8.3, < 1.2.5+ 1 more
- (no CPE)range: >= 0.8.3, < 1.2.5
- (no CPE)range: >= 0.8.3, < 1.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-4mp7-2m29-gqxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-16251ghsaADVISORY
- packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.htmlghsax_refsource_MISCWEB
- github.com/hashicorp/vault/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- www.hashicorp.com/blog/category/vaultghsaWEB
- www.hashicorp.com/blog/category/vault/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.