CVE Catalog

CVE-2026-5051

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

In HashiCorp Vault and Vault Enterprise prior to version 2.0.1, the audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability is fixed in versions 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

Risk Assessment

The organization may be exposed to unauthorized access or manipulation of audit data, potentially leading to integrity breaches of logs and concealment of unwanted activities.

Recommendation

Immediately update HashiCorp Vault to one of the patched versions: 2.0.1, 1.21.6, 1.20.11, or 1.19.17, and avoid using the legacy file audit path option.

Original NVD description (English source)

HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS