CVE-2021-32923
Description
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp Vault had a flaw where renewing nearly-expired leases (within 1s of max TTL) caused them to be treated as non-expiring, allowing indefinite use. Fixed in 1.5.9, 1.6.5, 1.7.2.
Vulnerability
HashiCorp Vault and Vault Enterprise from version 0.10.0 through 1.7.1 contained a logic flaw in lease renewal. When a token lease or dynamic secret lease was renewed within the last second of its maximum TTL, the renewed lease was assigned a TTL of zero seconds (rounded down). This zero-second TTL was incorrectly interpreted as non-expiring by Vault’s internal accounting, allowing the lease to be used indefinitely [1][2].
Exploitation
To exploit this issue, an attacker must possess an existing valid Vault token. The vulnerability is triggered when a lease is renewed inside a narrow time window (the final second of its maximum TTL). Automation-driven renewals operating with tight time tolerances are more likely to hit this window. No additional authentication or network position beyond that required for normal lease renewal is needed [2].
Impact
Successfully exploited leases – both token leases and dynamic secret leases – are never revoked. This means tokens or dynamic secrets that should have expired remain valid indefinitely, potentially granting continued access to resources that were intended to be time-limited. The impact is a violation of the intended time-to-live policy, leading to unauthorized access or privilege persistence [2].
Mitigation
The vulnerability is fixed in Vault and Vault Enterprise versions 1.5.9, 1.6.5, and 1.7.2. Operators should upgrade to one of these releases or later. No workaround is known [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.7.0, < 1.7.2 | 1.7.2 |
github.com/hashicorp/vaultGo | >= 1.6.0, < 1.6.5 | 1.6.5 |
github.com/hashicorp/vaultGo | >= 0.10.0, < 1.5.9 | 1.5.9 |
Affected products
8- osv-coords8 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:bitnami/vaultpkg:golang/github.com/hashicorp/vault
< 5.6.0-r11+ 7 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: >= 0.10.0, < 1.5.9
- (no CPE)range: >= 1.7.0, < 1.7.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-38j9-7pp9-2hjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32923ghsaADVISORY
- security.gentoo.org/glsa/202207-01ghsavendor-advisoryx_refsource_GENTOOWEB
- discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603ghsax_refsource_MISCWEB
- www.hashicorp.com/blog/category/vaultghsaWEB
- www.hashicorp.com/blog/category/vault/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.