CVE-2024-5798

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.

This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

Published: Jun 12, 2024
Updated: Aug 8, 2025
CVE: CVE-2024-5798
GHSA: GHSA-32cj-5wx4-gq8p
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-285

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	1.17.0-rc1	1.17.0-rc1.x
github.com/hashicorp/vault	1.17.0-rc1	1.17.0
github.com/hashicorp/vault	1.16.0-rc1	1.16.3
github.com/hashicorp/vault	0.11.0	1.15.9
hashicorp / vault	0.11.0	1.15.9
hashicorp / vault	1.16.0	1.16.3

https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770

Vulnerability Database

CVE-2024-5798