CVE-2026-3605
denial-of-service vulnerability in vault (Go)
What is CVE-2026-3605 About?
An authenticated Vault user with access to a kvv2 path via a glob in their policy can delete secrets they are not authorized to read or write. This leads to a denial-of-service condition by preventing access to legitimate secrets. Exploitation requires authenticated access and a specific policy configuration.
Affected Software
Technical Details
The vulnerability in Vault (CVE-2026-3605) allows an authenticated user with specific policy configurations to cause a denial-of-service. This occurs when a user's policy contains a 'glob' (wildcard) for a kvv2 path. Due to an underlying flaw, this user, despite not having explicit read or write authorization for certain secrets within that globbed path, can nonetheless issue delete operations for those secrets. By deleting secrets they are not supposed to access, the attacker effectively removes legitimate data, leading to a denial-of-service for services or users dependent on those secrets. The vulnerability does not allow for cross-namespace deletion or reading of secret data.
What is the Impact of CVE-2026-3605?
Successful exploitation may allow an authenticated user to delete secrets for which they lack read or write authorization, leading to unavailability of critical secrets and thus causing a denial-of-service.
What is the Exploitability of CVE-2026-3605?
Exploitation complexity is moderate, requiring an authenticated user with specific, but potentially misconfigured, privileges. Authentication is explicitly required as the attacker must be a legitimate user of Vault. Privilege requirements include access to kvv2 paths though a policy containing a glob (*). This is a local vulnerability in terms of Vault's access control logic, but it can be triggered remotely through the Vault API. The main constraint is the specific policy configuration. Risk factors increase when users are granted broad, glob-based access to kvv2 paths, unintentionally allowing them to delete secrets outside their intended scope of write/read permissions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-3605?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-m2w4-8ggf-rj47
- https://nvd.nist.gov/vuln/detail/CVE-2026-3605
- https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342
What are Similar Vulnerabilities to CVE-2026-3605?
Similar Vulnerabilities: CVE-2023-32986 , CVE-2023-25807 , CVE-2023-25806 , CVE-2022-40439 , CVE-2022-45231
