HashiCorp Vault is a secrets management platform widely used to store API keys, database passwords, TLS certificates, and service credentials. An attacker or malicious insider exploiting this flaw could silently destroy secrets, causing dependent applications and services to fail until credentials are regenerated and rotated. The resulting outages may affect production systems, customer-facing services, and automated pipelines, with recovery time dependent on the completeness of your secrets backup and rotation procedures.
You Are Affected If
You run HashiCorp Vault Community Edition < 2.0.0 or Vault Enterprise < 2.0.0, 1.21.5, 1.20.10, or 1.19.16
Your Vault instance has KVv2 secrets engine mounts in use
One or more Vault policies grant access to KVv2 paths using glob patterns ('*' or '+')
Authenticated users or service accounts operate under those glob-pattern policies
You have not applied the vendor patches or manually restricted delete capabilities on affected policies
Board Talking Points
A flaw in our secrets management platform could allow a credentialed insider or compromised account to silently destroy critical credentials, causing application and service outages.
The security team should patch affected Vault instances to the fixed versions within normal patch cycle timelines, with immediate policy restrictions applied to high-risk environments.
Without remediation, any user with authenticated Vault access and a glob-pattern policy can destroy secrets undetected, potentially causing extended service disruptions that are difficult to trace.
PCI-DSS — Vault is commonly used to store payment service credentials and encryption keys; secret destruction could compromise cardholder data environment integrity controls (Requirement 3, 6, 10)
HIPAA — Vault deployments protecting PHI system credentials or encryption keys may face availability and integrity control failures under the Security Rule (§164.312)
