Bulletin ID: HCSEC-2026-06
Affected Products / Versions:
Vault Community Edition 1.14.0 up to 1.21.4, fixed in 2.0.0
Vault Enterprise 1.14.0 up to 1.21.4, 1.20.9, and 1.19.15; fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Publication Date: April 16th, 2026
Summary
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. This vulnerability, CVE-2026-5052, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Background
Vault provides features to facilitate ACME certificate lifecycle protocol, including http-01 and tls-alpn-01 challenges.
Details
Depending on the Vault configuration, the challenge endpoint is either unauthenticated or requires an EAB token.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was independently identified and reported by Oleh Konko of 1seal, as well as Vipin Chaudhary.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.