CVE-2025-5999

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

Published: Aug 1, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-5999
GHSA: GHSA-6h4p-m86h-hhgh
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-266

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	0.10.4	1.20.0
hashicorp / vault	1.17.0	1.18.11
hashicorp / vault	1.19.0	1.19.6
hashicorp / vault	0.10.4	1.20.0
hashicorp / vault	0.10.4	1.16.22

https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032

Vulnerability Database

CVE-2025-5999