Moderate severityNVD Advisory· Published Aug 6, 2025· Updated Feb 26, 2026
Vault LDAP MFA Enforcement Bypass When Using Username As Alias
CVE-2025-6013
Description
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | < 1.20.2 | 1.20.2 |
Affected products
12- osv-coords10 versionspkg:apk/chainguard/splunk-otel-collectorpkg:apk/chainguard/splunk-otel-collector-fipspkg:apk/chainguard/vault-1.17pkg:apk/wolfi/splunk-otel-collectorpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vaultpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.138.0-r0+ 9 more
- (no CPE)range: < 0.138.0-r0
- (no CPE)range: < 0.138.0-r1
- (no CPE)range: < 1.17.6-r23
- (no CPE)range: < 0.138.0-r0
- (no CPE)range: >= 1.10.0, < 1.20.2
- (no CPE)range: < 1.20.2
- (no CPE)range: < 0.0.20250814T182633-150000.1.98.1
- (no CPE)range: < 0.0.20250811T192933-1.1
- (no CPE)range: < 2.3.2-1.1
- (no CPE)range: < 0.0.20250814T182633-150000.1.98.1
- Range: 1.10.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.