HCSEC-2026-08 - Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Bulletin ID: HCSEC-2026-08 Affected Products / Versions: Vault Community Edition up to 1.21.4, fixed in 2.0.0 Vault Enterprise up to 1.21.4, 1.20.9, and 1.19.15; fixed in 2.0.0. Publication Date: April 16th, 2026 Summary Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0. Background generate-root and rekey are administrative operations used to manage sensitive cryptographic material. The generate-root process enables creation of a new root token through a quorum-based unseal key ceremony, while rekey rotates the unseal or recovery key shares. More information on key recovery operations can be found in the key recovery documentation page. Details Due to the unauthenticated nature of the sys/rekey, sys/generate-root, and sys/rekey-recovery-key, attackers can repeatedly initiate operations through an HTTP request, effectively causing the operation to be in a locked state. This may cause disruptions or lock our legitimate operations from an administrator or operator. There are previous disclosures regarding rekey functionality: https://discuss.hashicorp.com/t/hcsec-2025-32-incomplete-fix-for-previous-vault-dos-issue/76711 https://discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570 Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0. Please refer to Upgrading Vault for general guidance. Customers who wish to revert the new functionality, please refer to https://developer.hashicorp.com/vault/docs/updates/important-changes#previously-unauthenticated-endpoints-require-authentication in the…