HCSEC-2026-16 - Vault Audit Device Plugin Directory Guard Bypass via Legacy Path Option
🔗 CVE IDs covered (1)
📋 Description
Bulletin ID: HCSEC-2026-16 Affected Products / Versions: Vault Community Edition 1.20.1 and later, up to 2.0.0; fixed in 2.0.1, 1.21.6, and 1.20.11. Vault Enterprise 1.19.0 and later, up to 2.0.0; fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17. Publication Date: July 1, 2026 Summary HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17. Background Vault supports audit devices that record requests and responses for operational and security review. The file audit device writes audit logs to a configured filesystem path. Vault also supports external plugins loaded from a configured plugin directory. Because writes into this directory can be security-sensitive, Vault includes protections intended to prevent file audit devices from writing audit logs into the plugin directory. Details Vault’s audit device plugin directory guard checked the file_path audit option when determining whether a file audit device would write into the configured plugin directory. However, the file audit backend also accepted the legacy path option as a fallback. When only the path was supplied, Vault did not validate the actual audit log destination against the plugin directory guard, while the file audit backend still used that value as the audit log path. Under specific server configurations, including a configured plugin directory, this could bypass intended protections against writing audit output into sensitive plugin paths. Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Vault 2.0.1, 1.21.6, 1.20.11, and 1.19.17. Please refer to Upgrading Vault ( Upgrade Vault | Vault | HashiCorp Developer) for general guidance. Customers should restrict audit device management permissions to trusted operators only. Acknowledgement This issue …
🎯 Affected products2
- Vault
- Vault Enterprise