Low severityNVD Advisory· Published Jun 12, 2024· Updated Nov 4, 2025
Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
CVE-2024-5798
Description
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.
This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.17.0-rc1, < 1.17.0 | 1.17.0 |
github.com/hashicorp/vaultGo | >= 1.16.0-rc1, < 1.16.3 | 1.16.3 |
github.com/hashicorp/vaultGo | >= 0.11.0, < 1.15.9 | 1.15.9 |
Affected products
8- osv-coords6 versionspkg:apk/chainguard/vault-1.15pkg:apk/chainguard/vault-1.15-compatpkg:apk/chainguard/vault-fips-1.15pkg:apk/chainguard/vault-fips-1.15-compatpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vault
< 1.15.9-r0+ 5 more
- (no CPE)range: < 1.15.9-r0
- (no CPE)range: < 1.15.9-r0
- (no CPE)range: < 1.15.9-r0
- (no CPE)range: < 1.15.9-r0
- (no CPE)range: >= 0.11.0, < 1.16.2
- (no CPE)range: >= 1.17.0-rc1, < 1.17.0
- Range: 0.11.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.