Home / Vulnerability Intelligence / CVE-2026-3605

CVE-2026-3605 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 17, 2026

HashiCorp Vault - Broken Access Control

Published: April 17, 2026Updated: April 17, 2026Remote Exploitable

Overview

HashiCorp Vault < 2.0.0 and < 1.21.5 contains a broken access control caused by improper authorization checks on kvv2 paths with glob policies, letting authenticated users delete unauthorized secrets, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 1.2%(Probability of exploitation in next 30 days)

Impact

Authenticated users can delete unauthorized secrets, causing denial of service without data disclosure.

Mitigation

Update to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, or 1.19.16.

References

https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 17, 2026

🟠 CVE-2026-3605 - High (8.1) An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delet... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3605/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-3605
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: unconfirmed
EPSS: 1.2%
Social Posts: 1

CWE

CWE-288

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score

1.2%Probability of exploitation in the next 30 days