{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5052", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-27T17:50:20.727Z", "datePublished": "2026-04-17T02:55:25.080Z", "dateUpdated": "2026-04-17T02:55:25.080Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "1.15.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "lessThan": "2.0.0", "status": "affected", "version": "1.15.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Vault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}], "value": "Vault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118: Collect and Analyze Information"}]}], "metrics": [{"cvssV3_1": {"baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T02:55:25.080Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343"}], "source": {"advisory": "HCSEC-2026-06", "discovery": "EXTERNAL"}, "title": "Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "id": "CVE-2026-5052", "lastModified": "2026-04-17T04:16:12.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-17T04:16:12.567", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[1.15.0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault", "source": "cna", "vendor": "HashiCorp"}, "product": "vault", "vendor": "hashicorp"}, {"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[1.15.0,1.19.16)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.19.16,1.20.10)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.20.10,1.21.5)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.21.5,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault Enterprise", "source": "cna", "vendor": "HashiCorp"}, "product": "vault_enterprise", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-17T04:50:42.315251+00:00", "value": {"mitigation_remediation": ["Upgrade Vault to version 2.0.0 or later, or to Enterprise 1.21.5, 1.20.10, or 1.19.16 if already using those specific releases", "If an upgrade is not immediately possible, temporarily disable ACME challenge validation in the Vault PKI configuration", "Configure network segmentation or firewall rules to prevent internal services from responding to requests originating from Vault\u2019s ACME validation process"], "summary": {"action": "Immediate Patch", "impact": "Server-Side Request Forgery (SSRF) leading to potential information disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects HashiCorp Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0 as well as earlier Enterprise releases 1.21.5, 1.20.10, and 1.19.16. Any deployment of these versions that performs ACME challenge validation is potentially exposed.", "description_and_impact": "Vault\u2019s PKI engine allowed ACME http-01 and tls-alpn-01 challenges to be validated against local or attacker\u2011controlled DNS targets. This flaw permits the server to issue HTTP requests to internal services, exposing sensitive data that should remain unavailable to external clients.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting an unknown exploitation probability. The likely attack vector involves manipulating DNS for a domain used in ACME challenge validation, enabling an attacker to direct Vault\u2019s internal request to a local resource. The potential impact is data leakage from internal services vulnerable to SSRF."}}}}, "created": "2026-04-17T05:00:05.420115+00:00", "updated": "2026-04-17T05:00:05.502022+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$vault", "hashicorp$PRODUCT$vault_enterprise"]}