CVE-2026-5052

ADVISORY - github

Summary

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

EPSS Score⁠: 0.00009 (0.009)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-918⁠

Server-Side Request Forgery (SSRF)

ADVISORY - github

CWE-918⁠

Server-Side Request Forgery (SSRF)

ADVISORY - redhat

CWE-918⁠

Server-Side Request Forgery (SSRF)

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.