Vault fixes token exposure to auth plugin backends

2 min readPublished 17 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-4525 News Secrets Management Identity

TL;DR — A Vault header-sanitization flaw can leak a caller’s Vault token to auth plugin backends when Authorization passthrough is enabled, turning an auth integration into a secret-exposure path.

What happened

HashiCorp Vault is a widely used secrets-management and identity broker that issues and validates tokens for accessing protected secrets and capabilities.

CVE-2026-4525 describes a token exposure issue in Vault’s auth plugin request path: if an auth mount is configured to pass through the Authorization header, and that same header is used to authenticate to Vault (e.g., Authorization: Bearer <vault-token>), Vault could forward the Vault token to the auth plugin backend.

This is operationally important because plugin backends are frequently treated as “inside the trust boundary” and may log, trace, or otherwise process forwarded headers—so a single header-handling bug can turn into broad credential exposure and lateral movement risk in real deployments.

Who is impacted

Vault deployments using an auth method/plugin configured with passthrough_request_headers that includes Authorization, and where clients authenticate to Vault using the Authorization header.

Component	Affected versions (per HashiCorp / CVE record)	Fixed in (per HashiCorp / CVE record)
`Vault` (Community Edition)	`0.11.2` up to `1.21.4`	`2.0.0`
`Vault Enterprise`	`0.11.2` up to `1.21.4`, plus `1.20.9` and `1.19.15`	`2.0.0`, `1.21.5`, `1.20.10`, `1.19.16`

What to do now

Follow vendor remediation guidance from the HashiCorp bulletin referenced by the CVE record.

"Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
Inventory where passthrough_request_headers is set for auth methods/plugins, and specifically identify any configuration that forwards Authorization to plugin backends.
Treat this as potential credential exposure where applicable: review plugin-backend logs/telemetry for forwarded Authorization contents and rotate/limit credentials accessible to affected Vault instances according to your incident response playbooks.
If you must keep Authorization passthrough for functional reasons, ensure downstream auth backends treat inbound Authorization as sensitive and do not log it (including request debug logging and tracing).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.