pkg:Bitnami/vault

71 total CVEsCRITICAL9HIGH25MEDIUM32LOW5

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2020-35192The official vault docker images before 0.11.6 contain a blank password for a root user.
    >= 0.6.0, < 0.11.6
  • CRITICAL9.8CVE-2020-25816Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault
    >= 1.0.0, < 1.4.7, >= 1.5.0, < 1.5.4
  • CRITICAL9.8CVE-2021-38553HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 in github.com/hashicorp/vault
    >= 1.4.0, < 1.8.0
  • CRITICAL9.8CVE-2020-12757Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp
    >= 1.4.0, < 1.4.2
  • CRITICAL9.1CVE-2025-6000Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
    >= 0.8.0, < 1.20.1
  • CRITICAL9.1CVE-2022-36129HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint…
    >= 1.7.0, < 1.9.8, >= 1.10.0, < 1.10.5, >= 1.11.0, < 1.11.1
  • CRITICAL9.1CVE-2020-10661HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
    >= 0.11.0, < 1.3.4
  • CRITICAL9.1CVE-2022-40186HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault
    >= 1.8.0, < 1.9.9, >= 1.10.0, < 1.10.6, >= 1.11.0, < 1.11.3
  • CRITICAL9.1CVE-2021-43998HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault
    >= 0.11.0, < 1.7.6, >= 1.8.4, < 1.8.5
  • HIGH8.2CVE-2020-16251HashiCorp Vault Authentication bypass in github.com/hashicorp/vault
    >= 0.8.3, < 1.2.5, >= 1.3.0, < 1.3.8, >= 1.4.0, < 1.4.4, >= 1.5.0, < 1.5.1
  • HIGH8.2CVE-2020-16250Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
    >= 0.7.1, < 1.2.5, >= 1.3.0, < 1.3.8, >= 1.4.0, < 1.4.4, >= 1.5.0, < 1.5.1
  • HIGH8.1CVE-2026-3605Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
    >= 0.10.0, < 2.0.0
  • HIGH8.1CVE-2025-11621HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault
    >= 0.6.0, < 1.21.0
  • HIGH8.1CVE-2024-2048Authentication bypass in github.com/hashicorp/vault
    >= 1.15.5, < 1.16.0
  • HIGH8.1CVE-2023-24999Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
    from 0, < 1.10.11, >= 1.11.0, < 1.11.8, >= 1.12.0, < 1.12.4
  • HIGH8.1CVE-2021-42135Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault
    >= 1.8.0, < 1.8.5
  • HIGH7.6CVE-2023-5077Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
    >= 0.10.0, < 1.13.0
  • HIGH7.5CVE-2026-5807Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations
    >= 0.10.0, < 2.0.0
  • HIGH7.5CVE-2026-4525Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
    >= 0.10.0, < 2.0.0
  • HIGH7.5CVE-2025-12044Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON in github.com/hashicorp/vault
    >= 0.6.0, < 1.16.27, >= 1.17.0, < 1.19.11, >= 1.20.0, < 1.21.0
  • HIGH7.5CVE-2025-6203HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault
    >= 1.15.0, < 1.20.3
  • HIGH7.5CVE-2024-8185Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault
    >= 1.2.0, < 1.18.1
  • HIGH7.5CVE-2024-7594Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
    >= 1.7.7, < 1.17.6
  • HIGH7.5CVE-2024-6468Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
    >= 1.10.0, < 1.16.3, >= 1.17.0, < 1.17.2
  • HIGH7.5CVE-2021-27400HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certi…
    from 0, < 1.6.4, >= 1.7.0, < 1.7.1
  • HIGH7.5CVE-2021-29653HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the…
    >= 1.5.1, < 1.5.8, >= 1.6.0, < 1.6.4, >= 1.7.0, < 1.7.1
  • HIGH7.5CVE-2021-3282Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault
    >= 1.6.0, < 1.6.1, >= 1.6.1, < 1.6.2
  • HIGH7.5CVE-2023-6337Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests
    >= 1.13.0, < 1.13.12, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.4
  • HIGH7.5CVE-2023-5954HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
    >= 1.13.7, < 1.13.10, >= 1.14.3, < 1.14.6, >= 1.15.0, < 1.15.2
  • HIGH7.5CVE-2020-7220Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
    >= 0.11.0, < 1.3.2
  • HIGH7.5CVE-2020-13223Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
    from 0, < 1.3.6, >= 1.4.0, < 1.4.2
  • HIGH7.4CVE-2021-32923Invalid session token expiration in github.com/hashicorp/vault
    >= 0.10.0, < 1.5.9, >= 1.6.0, < 1.6.5, >= 1.7.0, < 1.7.2
  • HIGH7.2CVE-2025-5999Hashicorp Vault has Privilege Escalation Vulnerability
    >= 0.10.4, < 1.20.0
  • HIGH7.2CVE-2024-9180Vault Operators in Root Namespace May Elevate Their Privileges
    >= 1.7.7, < 1.18.0
  • MEDIUM6.8CVE-2025-6037Hashicorp Vault has Incorrect Validation for Non-CA Certificates in github.com/hashicorp/vault
    from 0, < 1.20.1
  • MEDIUM6.8CVE-2023-4680HashiCorp Vault Improper Input Validation vulnerability
    >= 1.6.0, < 1.12.11, >= 1.13.0, < 1.13.7, >= 1.14.0, < 1.14.3
  • MEDIUM6.7CVE-2023-0620HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault
    from 0, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1
  • MEDIUM6.6CVE-2025-3879Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login
    >= 0.10.0, < 1.19.1
  • MEDIUM6.5CVE-2025-6013HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault
    >= 1.10.0, < 1.20.2
  • MEDIUM6.5CVE-2025-6014Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
    from 0, < 1.20.1
  • MEDIUM6.5CVE-2024-8365Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
    >= 1.16.7, < 1.16.9, >= 1.17.3, < 1.17.5
  • MEDIUM6.5CVE-2022-25243"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard ce…
    >= 1.8.0, < 1.8.9, >= 1.9.0, < 1.9.4
  • MEDIUM6.5CVE-2022-25244Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configurati…
    >= 1.7.0, < 1.7.10, >= 1.8.0, < 1.8.9, >= 1.9.0, < 1.9.4
  • MEDIUM6.5CVE-2020-35177Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault
    >= 1.5.0, < 1.5.6, >= 1.6.0, < 1.6.1
  • MEDIUM6.5CVE-2023-0665HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault
    from 0, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1
  • MEDIUM6.4CVE-2024-2660HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
    >= 1.14.0, < 1.16.0
  • MEDIUM5.7CVE-2025-6015Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault
    >= 1.10.0, < 1.20.1
  • MEDIUM5.5CVE-2024-2877Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node
    >= 1.15.0, < 1.15.8
  • MEDIUM5.3CVE-2026-5052Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
    >= 0.10.0, < 2.0.0
  • MEDIUM5.3CVE-2025-6004Hashicorp Vault has Lockout Feature Authentication Bypass
    >= 1.13.0, < 1.20.1
  • MEDIUM5.3CVE-2020-25594HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests.
    from 0, < 1.5.7, >= 1.6.0, < 1.6.2
  • MEDIUM5.3CVE-2020-35453HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces.
    >= 1.5.0, < 1.5.6, >= 1.6.0, < 1.6.1
  • MEDIUM5.3CVE-2021-27668HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication.
    >= 0.9.2, < 1.6.3
  • MEDIUM5.3CVE-2021-3024HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated H…
    from 0, < 1.5.7, >= 1.6.0, < 1.6.2
  • MEDIUM5.3CVE-2020-10660HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
    >= 0.9.0, < 1.3.4
  • MEDIUM5.3CVE-2023-3462HashiCorp Vault and Vault Enterprise vulnerable to user enumeration
    >= 1.13.0, < 1.13.5, >= 1.14.0, < 1.14.1
  • MEDIUM5.3CVE-2022-41316HashiCorp Vault's revocation list not respected
    from 0, < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4
  • MEDIUM5.3CVE-2022-30689HashiCorp Vault improper configuration of multi factor authentication in github.com/hashicorp/vault
    >= 1.10.0, < 1.10.3
  • MEDIUM5.3CVE-2021-38554Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
    from 0, < 1.8.0
  • MEDIUM4.9CVE-2021-45042In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage bac…
    >= 1.4.0, < 1.7.7, >= 1.8.0, < 1.8.6, >= 1.9.0, < 1.9.1
  • MEDIUM4.9CVE-2023-3774Vault Enterprise Namespace Creation May Lead to Denial of Service
    >= 1.12.8, < 1.12.9, >= 1.13.4, < 1.13.5, >= 1.14.0, < 1.14.1
  • MEDIUM4.9CVE-2023-3775Vault Enterprise's Sentinel RGP Policies Allowed For Cross-Namespace Denial of Service
    >= 0.11.0, < 1.13.8, >= 1.14.0, < 1.14.4
  • MEDIUM4.7CVE-2023-25000Cache-timing attacks in Shamir's secret sharing in github.com/hashicorp/vault
    from 0, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1
  • MEDIUM4.5CVE-2025-4166Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information
    >= 0.3.0, < 1.19.3
  • MEDIUM4.5CVE-2024-0831Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault
    >= 1.15.0, < 1.15.5
  • MEDIUM4.3CVE-2023-2121Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault
    from 0, < 1.11.11, >= 1.12.0, < 1.12.7, >= 1.13.0, < 1.13.3
  • LOW3.7CVE-2025-6011Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
    from 0, < 1.20.1
  • LOW3.1CVE-2025-4656Vault Community Edition rekey and recovery key operations can cause denial of service
    >= 1.14.8, < 1.20.0
  • LOW2.9CVE-2021-41802Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault
    from 0, < 1.7.5, >= 1.8.0, < 1.8.4
  • LOW2.6CVE-2024-5798HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
    >= 0.11.0, < 1.16.2
  • LOW2.5CVE-2023-2197Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM
    >= 1.13.0, < 1.13.2