{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T08:20:34.377","vulnerabilities":[{"cve":{"id":"CVE-2025-11621","sourceIdentifier":"security@hashicorp.com","published":"2025-10-23T19:15:48.893","lastModified":"2025-12-29T17:17:56.107","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27"}],"metrics":{"cvssMetricV31":[{"source":"security@hashicorp.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security@hashicorp.com","type":"Secondary","description":[{"lang":"en","value":"CWE-288"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"0.6.0","versionEndExcluding":"1.16.27","matchCriteriaId":"8C7F3182-7234-41FA-9B75-41035C2373A5"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*","versionStartIncluding":"0.6.0","versionEndExcluding":"1.21.0","matchCriteriaId":"1A7AEDE3-EAC5-4022-916F-639BD91EF61C"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.18.0","versionEndIncluding":"1.18.15","matchCriteriaId":"0F754D3F-BD3D-4726-87EC-012F8B68C840"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.19.0","versionEndExcluding":"1.19.11","matchCriteriaId":"167CFBBB-E0DF-42AB-84AA-4BF19C3873DB"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.5","matchCriteriaId":"466A7DC1-B9A3-4413-AA3E-AFAF34350E52"}]}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709","source":"security@hashicorp.com","tags":["Vendor Advisory"]}]}}]}