Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

Affected Packages

Go github.com/hashicorp/vault

Affected versions: 1.15.0 (fixed in 1.15.5)

Go github.com/hashicorp/vault

Affected versions: 0 (fixed in 1.14.10)

Related CVEs

CVE-2024-2048

Key Information

GHSA ID

GHSA-r3w7-mfpm-c2vw

Published

March 4, 2024 9:31 PM

Last Modified

August 6, 2025 4:47 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/vault

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.