CVE-2026-4525: HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization

April 17, 2026 (updated April 18, 2026)

If a Vault auth mount is configured to pass through the “Authorization” header, and the “Authorization” header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

References

discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344
github.com/advisories/GHSA-72gw-fmmr-c4r4
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2026-4525

Code Behaviors & Features

Detect and mitigate CVE-2026-4525 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →