Vault unauth denial-of-service blocks admin (CVE-2026-5807)

Overview

A high-severity vulnerability in HashiCorp Vault allows an unauthenticated attacker on the network to cause a denial-of-service condition for critical administrative workflows. Tracked as CVE-2026-5807, this flaw has been addressed in the latest release.

Vulnerability Details

Vault manages sensitive root token generation and cryptographic rekeying operations through a single, system-wide slot for in-progress actions. The vulnerability allows any network-connected entity, without providing any credentials, to repeatedly initiate and then immediately cancel these operations. By doing so, an attacker can monopolize this single slot indefinitely, creating a permanent lockout for legitimate administrators.

Impact

The primary impact is a complete denial-of-service for two vital security procedures: generating new root tokens and performing cryptographic rekey operations. This prevents administrators from rotating master keys or recovering access via root tokens, which can halt security maintenance and disaster recovery efforts. The attack requires no authentication (Privileges Required: NONE) and no user interaction, making it simple to execute. The CVSS v3.1 base score is 7.5 (High).

Affected Products and Remediation

This vulnerability affects versions of HashiCorp Vault prior to 2.0.0.

The fix is to upgrade immediately.

• Upgrade Vault Community Edition to version 2.0.0 or later.
• Upgrade Vault Enterprise to version 2.0.0 or later.

There are no supported workarounds or configuration changes to mitigate this vulnerability. The only complete remediation is applying the patch. After upgrading, no further action is required.

Security Insight

This vulnerability highlights a recurring theme in security design: the risks of single-threaded or singleton resource management for critical functions without proper rate-limiting or authorization checks. Similar to past DoS flaws in other systems, it shows how a seemingly minor architectural constraint-a single operation slot-can be exploited to create a significant operational blockade. It serves as a reminder to audit administrative APIs for both authentication and logical availability guarantees. For the latest on security incidents and vulnerabilities, monitor our security news feed.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs