Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
2025-08-06T10:15:35.423
2025-12-15T16:13:23.290
Analyzed
CVSSv3.1: 6.5 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | hashicorp | vault | ≤ 1.15.16 | Yes |
| Application | hashicorp | vault | < 1.20.2 | Yes |
| Application | hashicorp | vault | < 1.16.24 | Yes |
| Application | hashicorp | vault | < 1.18.13 | Yes |
| Application | hashicorp | vault | < 1.19.8 | Yes |
| Application | hashicorp | vault | < 1.20.2 | Yes |