CVE-2025-11621 — Vault AWS auth method bypass due to AWS client cache

Description

Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

How to fix CVE-2025-11621

To remediate CVE-2025-11621, upgrade the affected package to a fixed version below.

—upgrade to 1.21.0 or later
—upgrade to 1.21.0 or later
—upgrade to 1.21.0 or later

Is CVE-2025-11621 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 0.6.0, < 1.21.0
>= 0.6.0, < 1.21.0
>= 0.6.0, < 1.21.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYgithub.com/advisories/GHSA-9g4h-h484-3578
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11621
PATCHgithub.com/hashicorp/vault
WEBdiscuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709