Vault unauth denial-of-service blocks admin (CVE-2026-5807)

Vendor-confirmed - CVE-2026-5807 is a high denial-of-service in HashiCorp Vault prior to 2.0.0 that lets an unauthenticated attacker block critical root token generation and rekey operations by repeatedly claiming and canceling a single system slot. Upgrade immediately to version 2.0.0 or later.

Overview

A high-severity vulnerability in HashiCorp Vault allows an unauthenticated attacker on the network to cause a denial-of-service condition for critical administrative workflows. Tracked as CVE-2026-5807, this flaw has been addressed in the latest release.

Vulnerability Details

Vault manages sensitive root token generation and cryptographic rekeying operations through a single, system-wide slot for in-progress actions. The vulnerability allows any network-connected entity, without providing any credentials, to repeatedly initiate and then immediately cancel these operations. By doing so, an attacker can monopolize this single slot indefinitely, creating a permanent lockout for legitimate administrators.

Impact

The primary impact is a complete denial-of-service for two vital security procedures: generating new root tokens and performing cryptographic rekey operations. This prevents administrators from rotating master keys or recovering access via root tokens, which can halt security maintenance and disaster recovery efforts. The attack requires no authentication (Privileges Required: NONE) and no user interaction, making it simple to execute. The CVSS v3.1 base score is 7.5 (High).

Affected Products and Remediation

This vulnerability affects versions of HashiCorp Vault prior to 2.0.0.

The fix is to upgrade immediately.

• Upgrade Vault Community Edition to version 2.0.0 or later.
• Upgrade Vault Enterprise to version 2.0.0 or later.

There are no supported workarounds or configuration changes to mitigate this vulnerability. The only complete remediation is applying the patch. After upgrading, no further action is required.

Security Insight

This vulnerability highlights a recurring theme in security design: the risks of single-threaded or singleton resource management for critical functions without proper rate-limiting or authorization checks. Similar to past DoS flaws in other systems, it shows how a seemingly minor architectural constraint-a single operation slot-can be exploited to create a significant operational blockade. It serves as a reminder to audit administrative APIs for both authentication and logical availability guarantees. For the latest on security incidents and vulnerabilities, monitor our security news feed.

Update - May 2026

No patches or vendor advisory updates have been released since the original publication. As of 15 May 2026, CVE-2026-5807 remains unpatched; the sole mitigation continues to be limiting network access to the Vault API endpoint /v1/sys/rekey/init and /v1/sys/generate-root/attempt.

EPSS score has increased from 0.0002 to 0.0003 (10th percentile), indicating a marginal rise in exploit chatter, though exploitation in the wild remains unconfirmed. CISA KEV has not added this CVE; defenders should continue monitoring KEV for any change.

No related CVEs sharing the same attack pattern (unauthenticated state‑exhaustion via concurrent rekey/root‑token workflows) have been published in the Vault ecosystem this month.

Detection guidance: monitor Vault audit logs for repeated POST /v1/sys/rekey/init or POST /v1/sys/generate-root/attempt calls from the same source IP within a short time window. Abnormal volumes of cancel operations on these endpoints also indicate potential abuse.

Recommended actions:

• Restrict unauthenticated access to the rekey and root‑generation endpoints using Vault’s ACL policies or network firewalls immediately.
• Review recent Vault audit logs for anomalous call patterns on the affected endpoints.
• Subscribe to HashiCorp security advisories for patch release notifications.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs