CVE-2020-35177
Description
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp Vault LDAP auth method allowed user enumeration via error messages, fixed in versions 1.5.6 and 1.6.1.
Vulnerability
Details
CVE-2020-35177 is an information disclosure vulnerability in HashiCorp Vault and Vault Enterprise versions 1.4.1 and newer. The LDAP authentication method returned distinct error messages for valid and invalid usernames, enabling an attacker to enumerate valid LDAP users [1][3]. This behavior was introduced in Vault 1.4.1 and persisted until the fix [3].
Exploitation
An attacker with network access to the Vault API can send authentication requests to the LDAP auth endpoint with different usernames. By analyzing the error messages returned, the attacker can determine whether a given username exists in the LDAP directory [3]. No prior authentication is required to perform this enumeration.
Impact
User enumeration allows an attacker to build a list of valid usernames, which can be leveraged for further attacks such as password spraying, credential stuffing, or targeted social engineering [3]. While the vulnerability does not directly expose credentials, it reduces the attack surface for subsequent brute-force or phishing campaigns.
Mitigation
HashiCorp addressed the issue by improving the consistency of error messages in the LDAP auth method [4]. The fix is included in Vault and Vault Enterprise versions 1.5.6 and 1.6.1 [2][3]. Users running affected versions should upgrade immediately. No workarounds are documented; upgrading is the recommended remediation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.5.0, < 1.5.6 | 1.5.6 |
github.com/hashicorp/vaultGo | >= 1.6.0, < 1.6.1 | 1.6.1 |
Affected products
2- osv-coords2 versions
>= 1.5.0, < 1.5.6+ 1 more
- (no CPE)range: >= 1.5.0, < 1.5.6
- (no CPE)range: >= 1.5.0, < 1.5.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rpgp-9hmg-j25xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35177ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984ghsax_refsource_CONFIRMWEB
- github.com/hashicorp/vault/blob/master/CHANGELOG.mdghsax_refsource_CONFIRMWEB
- github.com/hashicorp/vault/pull/10537ghsaWEB
News mentions
0No linked articles in our index yet.