EUVD-2026-23344

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0,...

GHSA-M2W4-8GGF-RJ47 HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret...

EUVD-2025-23817

Malicious code in bioql PyPI...

PT-2025-31661

Name of the Vulnerable Software and Affected Versions HashiCorp Vault versions prior to 1.20.1 HashiCorp Vault versions 1.19.7 and earlier HashiCorp Vault versions 1.18.12 and earlier HashiCorp Vault versions 1.16.23 and earlier HashiCorp Vault versions 0.8.0 through 1.16.22 HashiCorp Vault...

CVE-2023-25000 Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a...