Introduction
Organizations relying on HashiCorp Vault for AWS-based secrets management may face unauthorized access if their authentication configuration uses cross-account IAM role names or wildcards. This issue can grant unintended Vault access to principals from untrusted AWS accounts, directly impacting the integrity of secrets and credentials in cloud environments.
HashiCorp is a major provider of infrastructure automation and security products. Vault is their flagship secrets management solution, widely adopted across industries for managing sensitive credentials and cryptographic material. The AWS Auth method is a core feature, enabling seamless authentication for AWS workloads without distributing static credentials.
Technical Information
CVE-2025-11621 targets the AWS Auth method in HashiCorp Vault. The vulnerability arises when the bound_iam_principal_arn parameter is configured with either:
- The same IAM role name across multiple AWS accounts
- A wildcard pattern (e.g.,
arn:aws:iam::*:role/ExampleRoleorarn:aws:iam::123456789012:role/*)
Vault's internal cache for AWS authentication responses does not sufficiently distinguish between principals from different AWS accounts or different roles matching a wildcard. When a principal from one AWS account successfully authenticates, the resulting cache entry may be reused for a principal from another account with the same role name or for any principal matching the wildcard. This allows an unauthorized principal to bypass authentication and obtain a Vault token intended for a different entity.
The root cause is improper cache key construction: the cache does not include enough unique identifiers (such as the AWS account ID) to differentiate principals. This is a classic case of CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
No public code snippets or PoC are available for this vulnerability.
Affected Systems and Versions
- HashiCorp Vault Community Edition: All versions before 1.21.0
- HashiCorp Vault Enterprise: All versions before 1.21.0, 1.20.5, 1.19.11, and 1.16.27
- Only configurations using the AWS Auth method with cross-account role name reuse or wildcards in
bound_iam_principal_arnare vulnerable
Vendor Security History
HashiCorp Vault has had previous authentication-related vulnerabilities, including:
- CVE-2020-16250: AWS Auth method authentication bypass via manipulated GetCallerIdentityResponse
- Multiple authentication flaws disclosed and patched in 2025 (see HCSEC-2025-13 through HCSEC-2025-20)
HashiCorp typically responds quickly to security issues, providing detailed advisories and backported patches for supported versions.
