A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
2025-08-01T18:15:56.713
2025-08-13T18:10:13.237
Analyzed
CVSSv3.1: 3.7 (LOW)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | hashicorp | vault | < 1.16.23 | Yes |
| Application | hashicorp | vault | < 1.20.1 | Yes |
| Application | hashicorp | vault | < 1.18.12 | Yes |
| Application | hashicorp | vault | < 1.19.7 | Yes |
| Application | hashicorp | vault | 1.20.0 | Yes |