HCSEC-2025-21 - Vault User Enumeration in Userpass Auth Method

mickael · August 6, 2025, 11:09am

Bulletin ID: HCSEC-2025-21
Affected Products / Versions: Vault Community from 1.13.0 up to 1.20.2.
Vault Enterprise from 1.13.0 up to 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

Publication Date: August 6, 2025

Summary
Vault Community and Vault Enterprise’s (“Vault”) userpass method is affected by a user enumeration vulnerability. This may allow an attacker to enumerate valid usernames on this auth method through brute force or a list of known usernames. CVE-2025-6010 was reserved by HashiCorp to track this issue, which will be fixed in an upcoming Vault release.

Background
Vault’s userpass auth method allows users to authenticate to Vault using a username and password combination.

Remediation
As of the time of publication, this issue is not fixed in a released version of Vault Community or Vault Enterprise. This bulletin will be updated when a fixed version is released.

While we believe this is a low-risk issue, customers who wish to reduce the impact of this vulnerability should consider using rate-limit quotas (see below) in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

vault write sys/quotas/rate-limit/userpass-auth-ratelimit \
    name="userpass-auth-ratelimit" \
    path="namespace1/auth/userpass*" \
    rate=10 \
    interval="1m" \
    block_interval="5m"

Refer to the create a rate limit quota documentation other examples.

Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.

mickael · February 13, 2026, 7:36pm

The failed login attempts cache is enforced very early in the request cycle, the cached values are shared across multiple auth methods, each returning different responses or types of errors, and the locked out users are also replicated and consistent across all nodes within a Vault cluster, to ensure the functionality works as expected across a wide range of usage patterns of Vault.

After spending significant effort investigating possible solutions and workarounds, and due to the complexities described above, any fix is likely to result in some amount of user enumeration, including through side-channels.

We believe the risk to users is low, as most Internet-exposed systems generally provide enumeration in some form (for example services requiring unique email addresses to sign up), and that the benefits of the lockout feature, coupled with its default-enabled configuration, outweigh any potential information leakage risks.

We have updated the documentation of the user lockout feature, and withdrawn the reserved CVE. Please feel free to reach out to security@hashicorp.com if you have any questions or concerns.

Topic	Replies	Views
HCSEC-2025-15 - Timing Side-Channel in Vault’s Userpass Auth Method Security security-vault	1458	August 1, 2025
HCSEC-2025-16 - Vault Userpass and LDAP User Lockout Bypass Security security-vault	1655	August 1, 2025
HCSEC-2020-25 - Vault’s LDAP Auth Method Allows User Enumeration Security security-vault	8100	December 16, 2020
HCSEC-2025-22 - Multiple Vulnerabilities Impacting HashiCorp Vault and Vault Enterprise Security security-vault	5670	August 6, 2025
HCSEC-2021-03 - Vault API Endpoint Allowed Enumeration of Secrets Engine Mount Paths Without Authentication Security security-vault	8353	January 29, 2021

HCSEC-2025-21 - Vault User Enumeration in Userpass Auth Method

Related topics