GHSA-8r5m-3f66-qpr3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8r5m-3f66-qpr3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-8r5m-3f66-qpr3/GHSA-8r5m-3f66-qpr3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8r5m-3f66-qpr3
- Aliases
-
- BIT-vault-2026-5052
- CVE-2026-5052
- Downstream
- Published
- 2026-04-17T06:31:07Z
- Modified
- 2026-04-21T13:12:35.107137078Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
- Details
-
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-918" ], "github_reviewed_at": "2026-04-18T00:53:25Z", "nvd_published_at": "2026-04-17T04:16:12Z", "severity": "MODERATE" }- References
Affected packages
Go / github.com/hashicorp/vault
Package
- Name
- github.com/hashicorp/vault
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/hashicorp/vault