Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
Credits
This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp.