CVE-2026-5052 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in HashiCorp Vault's PKI engine. The ACME validation component fails to properly reject local targets when issuing http-01 and tls-alpn-01 challenges. This security flaw allows attackers to potentially redirect validation requests to internal network targets, leading to information disclosure of sensitive data from systems that should not be externally accessible.
Critical Impact
Attackers can leverage attacker-controlled DNS to force Vault's ACME challenge validation to send requests to local network targets, potentially exposing internal services and sensitive information that would otherwise be protected from external access.
Affected Products
- HashiCorp Vault Community Edition versions prior to 2.0.0
- HashiCorp Vault Enterprise versions prior to 2.0.0, 1.21.5, 1.20.10, and 1.19.16
- Any deployments using the PKI secrets engine with ACME protocol support enabled
Discovery Timeline
- 2026-04-17 - CVE-2026-5052 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2026-5052
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The issue resides in the PKI secrets engine's implementation of the ACME (Automatic Certificate Management Environment) protocol, specifically in how it handles http-01 and tls-alpn-01 challenge validation.
When a certificate is requested via ACME, Vault must validate domain ownership by sending HTTP requests to the requesting domain. The vulnerability exists because Vault's validation logic does not implement proper restrictions to prevent these requests from being directed to local or internal network addresses. An attacker who controls the DNS resolution for a domain can manipulate the DNS response to point to internal IP addresses (such as 127.0.0.1, 10.x.x.x, 192.168.x.x, or 172.16.x.x), causing Vault to send validation requests to internal services.
This SSRF vulnerability enables reconnaissance of internal network services, potential access to internal APIs and metadata services, and information leakage from services that trust requests from the Vault server.
Root Cause
The root cause is insufficient input validation in the ACME challenge validation workflow. The PKI engine does not implement proper allowlist/denylist checks for IP addresses resolved during the http-01 and tls-alpn-01 challenge processes. When the ACME client initiates a validation request, Vault resolves the domain's IP address without verifying whether the resolved address belongs to a local or private network range.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Registering a domain with a controlled DNS server
- Requesting a certificate from Vault's PKI engine for that domain
- Configuring their DNS to resolve the domain to an internal IP address (e.g., 169.254.169.254 for cloud metadata services)
- When Vault attempts to validate the http-01 or tls-alpn-01 challenge, it sends the request to the internal target
- The attacker receives information about internal services through error messages or timing attacks
The vulnerability requires the attacker to have the ability to request certificates through Vault's ACME endpoint and control DNS resolution for a domain they claim to own.
Detection Methods for CVE-2026-5052
Indicators of Compromise
- Unusual ACME certificate requests for domains that resolve to internal IP addresses
- DNS queries from the Vault server resolving to private IP ranges (RFC 1918) or localhost
- Outbound HTTP requests from Vault to internal network segments or cloud metadata endpoints
- Audit log entries showing ACME validation attempts to non-routable IP addresses
Detection Strategies
- Monitor Vault audit logs for ACME certificate requests with suspicious domain patterns
- Implement network monitoring to detect HTTP requests from Vault servers to internal IP ranges
- Configure DNS monitoring to alert on resolutions to private address spaces from Vault infrastructure
- Review PKI engine access patterns for anomalous certificate request volumes or unusual domains
Monitoring Recommendations
- Enable verbose audit logging for the PKI secrets engine to capture all ACME validation attempts
- Deploy network segmentation monitoring to detect unauthorized internal communications from Vault
- Implement alerting on Vault server DNS queries that resolve to internal or localhost addresses
- Use SentinelOne Singularity to monitor for SSRF attack patterns and anomalous network behavior from Vault processes
How to Mitigate CVE-2026-5052
Immediate Actions Required
- Upgrade HashiCorp Vault Community Edition to version 2.0.0 or later
- Upgrade HashiCorp Vault Enterprise to version 2.0.0, 1.21.5, 1.20.10, or 1.19.16 depending on your version track
- Review recent ACME certificate issuance logs for suspicious activity
- Implement network-level controls to restrict Vault's outbound connectivity to internal networks
Patch Information
HashiCorp has released fixed versions that properly validate ACME challenge targets and reject requests to local or private network addresses. The patches are available for:
- Vault Community Edition 2.0.0
- Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16
Refer to the HashiCorp Security Advisory HCSEC-2026-06 for detailed upgrade instructions.
Workarounds
- Disable the ACME feature in the PKI secrets engine if not required for operations
- Implement network firewall rules to prevent Vault from initiating connections to internal IP ranges
- Use external DNS resolvers with SSRF protections that block resolution to private IP addresses
- Configure network egress filtering to restrict Vault's outbound HTTP connectivity to known-good external targets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
