CVE-2026-5052
Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
5.3
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
How to fix CVE-2026-5052
To remediate CVE-2026-5052, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.0 or later
- —no fix listed
Is CVE-2026-5052 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 0.10.0, < 2.0.0
- >= 1.14.0, <= 1.21.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |