Introduction
An unauthenticated attacker with nothing more than network access to a HashiCorp Vault API can completely block administrators from performing root token generation and rekey ceremonies, two of the most critical operational workflows in any Vault deployment. CVE-2026-5807, disclosed on April 16, 2026, with a CVSS 3.1 score of 7.5, exposes a design flaw in how Vault handles concurrency for these administrative operations, and it marks the third time HashiCorp has patched denial of service issues in these same endpoint families.
Technical Information
Root Cause: Unauthenticated Endpoints and a Single Operation Slot
The core of this vulnerability lies in the intersection of two design decisions in HashiCorp Vault. First, three families of administrative endpoints were completely unauthenticated:
sys/rekeysys/generate-rootsys/replication/dr/secondary/generate-operation-token
The rationale for leaving these unauthenticated was that the ceremony itself requires presenting seal or recovery key fragments, which served as the trust mechanism. However, the only thing an attacker needs to initiate or cancel an operation on these endpoints is network access to the Vault API. No token, no key fragment, no authentication of any kind.
Second, Vault's concurrency model for root token generation and rekey workflows permits only a single in-progress operation slot at any given time. This is a deliberate design constraint: these are sensitive cryptographic ceremonies, and allowing concurrent operations would introduce significant complexity and risk.
The vulnerability, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), arises because there is no mechanism to prevent an unauthenticated caller from monopolizing that single slot.
Attack Flow
The exploitation path is straightforward:
-
The attacker identifies a network reachable Vault instance. The target endpoints are standard Vault API paths, so discovery is trivial for anyone with access to the API.
-
The attacker sends an HTTP request to one of the vulnerable endpoints (for example,
sys/generate-root/attempt) to initiate a new root token generation operation. This occupies the single in-progress operation slot. -
Before any legitimate administrator can interact with the operation, the attacker sends a cancellation request (e.g., a DELETE to
sys/generate-root/attempt), freeing the slot momentarily. -
The attacker immediately re-initiates the operation, occupying the slot again. By automating this loop of initiate and cancel requests, the attacker maintains persistent control over the operation slot.
-
Legitimate administrators attempting to start their own root token generation or rekey ceremony find the slot perpetually occupied or in a transitional state. They are effectively locked out of these critical workflows.
The CVSS 3.1 vector confirms the severity profile: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Network accessible, low complexity, no privileges required, no user interaction needed, and the impact is a complete denial of availability for the targeted administrative functions.
Impact on Governance and Incident Response
The practical impact extends beyond a simple service disruption. Root token generation and rekey ceremonies are typically performed during critical moments: incident response, key rotation after a suspected compromise, or disaster recovery. An attacker who can block these workflows at will can effectively prevent an organization from recovering its own infrastructure during the moments when recovery matters most.
Patch Information
HashiCorp addressed CVE-2026-5807 in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, published on April 14, 2026 (tagged v2.0.0). Notably, there are no backported fixes for any 1.x version line. While other vulnerabilities disclosed on the same day received backports, CVE-2026-5807 is exclusively fixed in the 2.0.0 release.
What the Patch Changes
The fix is architectural rather than incremental. In Vault 2.0.0, all three vulnerable endpoint families now require a valid Vault token in addition to the seal or recovery key fragments. This means an attacker who can reach the Vault API but does not hold a valid token can no longer initiate, cancel, or interfere with these administrative workflows.
The specific changes documented in the Vault 2.0.0 release notes are:
sys/generate-rootandsys/replication/dr/secondary/generate-operation-tokenendpoints are now authenticated by default. The previous unauthenticated behavior can be restored by adding"generate-root"or"generate-operation-token"to a new HCL configuration key calledenable_unauthenticated_access.sys/rekeyendpoints are now authenticated by default. The old behavior can similarly be restored by including"rekey"in theenable_unauthenticated_accessconfiguration.
Previously, these endpoints relied solely on the quorum of unseal or recovery key shares as the trust mechanism. After the patch, callers must present both a valid Vault token and the appropriate key fragment. The documentation explicitly notes this is designed to prevent an attacker from sending key update requests with bogus key fragments that block legitimate operations.
Backward Compatibility Escape Hatch
For operators who cannot immediately upgrade, or who have automation that calls these endpoints without a token, the enable_unauthenticated_access configuration parameter provides backward compatibility. However, enabling it explicitly re-opens the vulnerable behavior and should be treated as a temporary measure only.
Upgrade Considerations
Upgrading to a major new version requires careful planning. HashiCorp recommends:
- Isolate a test instance in a fully isolated network environment to prevent unwanted cluster communication or credential revocation.
- Back up the Vault data store using the snapshot CLI command or API endpoints, as the upgrade process may alter the data store.
- Review the release notes and important changes documentation for version 2.0.0, as new functionality may require configuration adjustments.
- Apply the upgrade in the isolated test environment and validate that critical workflows, authentication methods, and secrets engines function correctly.
- Proceed with the production upgrade once testing is successful.
Affected Systems and Versions
| Vault Edition | Affected Versions | Fixed Version |
|---|---|---|
| Vault Community Edition | Up to 1.21.4 | 2.0.0 |
| Vault Enterprise | Up to 1.21.4, 1.20.9, and 1.19.15 | 2.0.0 |
Any Vault deployment running a version in the affected column is vulnerable. The fix is only available in the 2.0.0 release line; no backports to 1.x versions exist for this specific CVE.
Vendor Security History
This is not the first time HashiCorp has addressed denial of service vulnerabilities in these unauthenticated endpoint families. The pattern of recurring issues in this code path is worth noting:
| Bulletin ID | CVE ID | Description | Fixed Versions |
|---|---|---|---|
| HCSEC-2025-11 | CVE-2025-4656 | DoS via uncontrolled cancellation of rekey and recovery key operations by an operator | 1.20.0, 1.19.6, 1.18.11, 1.17.17, 1.16.22 |
| HCSEC-2025-32 | CVE-2025-6203 | Incomplete fix for a previous DoS issue involving complex JSON payloads | 1.21.0, 1.20.5, 1.19.11, 1.16.27 |
| HCSEC-2026-08 | CVE-2026-5807 | DoS via unauthenticated root token generation and rekey operations occupying the single slot | 2.0.0 |
The progression from incremental fixes (rate limiting, per operation patches) to the definitive approach in 2.0.0 (requiring authentication outright) reflects the architectural challenge of balancing secure, unauthenticated key recovery ceremonies with availability protections. The earlier fixes attempted to address specific abuse patterns while preserving the unauthenticated design. The 2.0.0 patch acknowledges that the unauthenticated design itself was the root problem.
The vulnerability was discovered and responsibly disclosed by the XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine. As of the disclosure date, there is no evidence of active exploitation in the wild.
References
- NVD: CVE-2026-5807
- CVE Record: CVE-2026-5807
- HCSEC-2026-08: Vault Vulnerable to Denial of Service via Unauthenticated Root Token Generation/Rekey Operations
- Vault v2.0.0 Release on GitHub
- Vault Important Changes: Previously Unauthenticated Endpoints Require Authentication
- Vault Upgrade Documentation
- HCSEC-2025-11: Vault Vulnerable to Recovery Key Cancellation Denial of Service
- HCSEC-2025-32: Incomplete Fix for Previous Vault DoS Issue
- HashiCorp Officially Joins the IBM Family
- IBM Completes Acquisition of HashiCorp
