HashiCorp Vault is widely used to protect the most sensitive credentials in an organization, including database passwords, API keys, and cloud access tokens. If a Vault token is captured through this vulnerability, an attacker gains the ability to retrieve any secret that token is authorized to access, potentially unlocking access to production databases, cloud environments, and critical internal systems. Depending on the token's permission scope, a single captured token could expose regulated data, disrupt operations, or provide an entry point for a broader breach.
You Are Affected If
You run HashiCorp Vault or Vault Enterprise versions prior to 2.0.0, 1.21.5, 1.20.10, or 1.19.16
One or more Vault auth mounts are configured with 'passthrough_request_headers' set to include the 'Authorization' header
Clients authenticate to Vault using the Authorization header (i.e., the same header being passed through to the plugin backend)
Vault communicates with one or more external auth plugin backends that could be accessed by an untrusted party or over an unencrypted channel
Vault audit logging is not enabled, limiting your ability to detect whether tokens were already forwarded and captured
Board Talking Points
A flaw in our secrets management platform could expose high-privilege credentials to external systems, potentially giving attackers access to production databases, cloud environments, and internal applications.
Security teams should patch HashiCorp Vault to the fixed version and revoke any potentially exposed tokens within the next patch cycle, prioritizing environments where Vault manages regulated or production-critical secrets.
Without patching, a party with access to an auth plugin backend could capture credentials that unlock broad access to our most sensitive systems.
PCI-DSS — Vault is commonly used to manage credentials for payment processing systems; token exposure could compromise cardholder data environment access controls (Requirement 8)
HIPAA — If Vault manages credentials for systems storing or processing protected health information, token exposure could constitute unauthorized access to ePHI
SOC 2 — Vault token exposure undermines logical access controls and may require disclosure under Trust Services Criteria CC6.1 and CC6.3
