CVE-2026-3605

ADVISORY - github

Summary

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-288⁠

Authentication Bypass Using an Alternate Path or Channel

ADVISORY - github

CWE-288⁠

Authentication Bypass Using an Alternate Path or Channel

ADVISORY - redhat

CWE-639⁠

Authorization Bypass Through User-Controlled Key

Impacted images

Advisories

NIST

CREATED

1 day ago

UPDATED

16 hours ago

ADVISORY IDCVE-2026-3605⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

8.1high

GitHub

CREATED

1 day ago

UPDATED

7 hours ago

ADVISORY IDGHSA-m2w4-8ggf-rj47⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

8.1high

Red Hat

CREATED

1 day ago

UPDATED

6 hours ago

ADVISORY IDCVE-2026-3605⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

8.1high