CVE-2026-4525
Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
7.5
HIGH
CVSS 3.1
EPSS 0.03%
Description
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
How to fix CVE-2026-4525
To remediate CVE-2026-4525, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.0 or later
- —no fix listed
Is CVE-2026-4525 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 0.10.0, < 2.0.0
- >= 0.11.2, <= 1.21.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |