Medium severity5.3NVD Advisory· Published Apr 17, 2026· Updated Apr 27, 2026

CVE-2026-5052

Description

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/vaultGo	>= 1.14.0, <= 1.21.4	—

Affected products

Hashicorp/Vault2 versions
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*range: >=1.14.0,<1.19.16
- cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*range: >=1.14.0,<2.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343nvdVendor AdvisoryWEB
github.com/advisories/GHSA-8r5m-3f66-qpr3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-5052ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000