CVE-2026-5052

ADVISORY - github

Summary

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-918⁠

Server-Side Request Forgery (SSRF)

ADVISORY - github

CWE-918⁠

Server-Side Request Forgery (SSRF)

ADVISORY - redhat

CWE-918⁠

Server-Side Request Forgery (SSRF)

Impacted images

Advisories

NIST

CREATED

1 day ago

UPDATED

16 hours ago

ADVISORY IDCVE-2026-5052⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium

GitHub

CREATED

1 day ago

UPDATED

7 hours ago

ADVISORY IDGHSA-8r5m-3f66-qpr3⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium

Red Hat

CREATED

1 day ago

UPDATED

6 hours ago

ADVISORY IDCVE-2026-5052⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.8medium