Vault DoS: Unauthenticated Attackers Can Block Critical Operations

The National Vulnerability Database has detailed CVE-2026-5807, a high-severity denial-of-service (DoS) vulnerability impacting Vault Community Edition and Vault Enterprise. This isn’t a data breach or code execution, but it’s a critical operational disruption that CISOs need to take seriously. The CVSS 3.1 score of 7.5 (HIGH) with an AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H vector clearly indicates an unauthenticated, low-complexity attack that results in high availability impact.

Here’s the problem: an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations. Vault’s architecture, as described by the National Vulnerability Database, allows only a single in-progress operation for these critical workflows. By monopolizing this slot, an attacker effectively prevents legitimate operators—your security team—from performing essential administrative tasks.

Think about the implications. If your team needs to rotate a compromised root token, rekey a Vault cluster, or onboard new operators, this vulnerability can halt all of it. This isn’t just an annoyance; it’s a direct impediment to incident response, security best practices, and even regular operational maintenance. An attacker doesn’t need to steal data or run code to create chaos; simply blocking access to these functions can severely degrade an organization’s security posture and response capabilities, especially during a crisis.

From an attacker’s perspective, this is a low-effort, high-impact play. No credentials, no complex exploits, just repeated requests. Their goal isn’t necessarily to breach the system, but to create a distraction, slow down a response, or simply cause operational pain. In a red team scenario, this is a perfect tactic to frustrate blue teams and buy time for other objectives, or to mask more subtle attacks.

Defenders must understand that even DoS attacks on critical infrastructure like Vault can have cascading effects. If you can’t rekey, if you can’t regenerate root tokens, you’re stuck with potentially compromised credentials or an inability to recover from a failure. This vulnerability, tracked as CWE-770 (Allocation of Resources Without an Expiration or Throttling), highlights a fundamental design flaw in resource management. The fix, available in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, is absolutely non-negotiable.