High severity8.1NVD Advisory· Published Apr 17, 2026· Updated Apr 25, 2026

CVE-2026-3605

Description

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/vaultGo	>= 0.10.0, <= 1.21.4	—

Affected products

Hashicorp/Vault2 versions
cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*range: >=0.10.0,<2.0.0
- cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*range: >=0.10.0,<1.19.16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342nvdVendor AdvisoryWEB
github.com/advisories/GHSA-m2w4-8ggf-rj47ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-3605ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000