CVE-2026-5052
Last modified
CVE-2026-5052 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Vault | >= 1.14.0, < 1.19.16 |
| Hashicorp | Vault | >= 1.14.0, < 2.0.0 |
| Hashicorp | Vault | >= 1.20.0, < 1.20.10 |
| Hashicorp | Vault | >= 1.21.0, < 1.21.5 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-5052?
How severe is CVE-2026-5052?
How do I fix CVE-2026-5052?
Are you affected by CVE-2026-5052?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST