HashiCorp Vault carries two high-severity CVEs this week: an authorization bypass that allows authenticated users to delete KVv2 secrets outside their permitted scope via glob policy patterns, and a token forwarding flaw that exposes Vault tokens to external auth plugin backends when header pass-through is misconfigured. Both share the same affected version range and the same fixed releases, enabling a single patch action to address both. Neither is KEV-listed; both require authenticated access.