Moderate severityNVD Advisory· Published Aug 6, 2025· Updated Feb 26, 2026

Vault LDAP MFA Enforcement Bypass When Using Username As Alias

CVE-2025-6013

Description

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/vaultGo	< 1.20.2	1.20.2

Affected products

Hashicorp/Vaultv5
Range: 1.10.0
HashiCorp/Vault Enterprisev5
Range: 1.10.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7rx2-769v-hrwfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-6013ghsaADVISORY
discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000