A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
{ "nvd_published_at": "2025-08-01T18:15:56Z", "github_reviewed": true, "github_reviewed_at": "2025-08-01T21:08:42Z", "severity": "LOW", "cwe_ids": [ "CWE-203" ] }