Techly NewsGet the app

Get the latest tech news

Zero-day flaws in authentication, identity, authorization in HashiCorp Vault


Introduction: when the trust model can’t be trusted Secrets vaults are the backbone of digital infrastructure. They store the credentials, tokens, and certificates that govern access to systems, services, APIs, and data. They’re not just a part of the trust model, they are the trust model. In other words, if your vault is compromised, your […]

We sought them out, starting with a clear hypothesis – if Vault plays the role of trust anchor for organizations, then even minor inconsistencies in how it enforces identity, authentication, or policy could have outsized consequences. This research exposes critical weak points in Vault’s trust and identity model – flaws that, under real-world conditions, form exploitable attack paths and can drive devastating results. And when trust in the vault is broken, the impact is immediate and devastating: attackers can impersonate users, bypass MFA, extract credentials, seize root tokens, and even execute arbitrary commands.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of day flaws

day flaws

Photo of hashicorp vault

hashicorp vault

Related news:

News photo

Researchers Uncover RCE Attack Chains in HashiCorp Vault and CyberArk Conjur

News photo

Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland

News photo

Google fixes two Pixel zero-day flaws exploited by forensics firms

« New Work Achieves a Pure Quantum State Without the Need For Cooling
Debounce »