2459106 – (CVE-2026-5052) CVE-2026-5052 Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation

Bug 2459106 (CVE-2026-5052) - CVE-2026-5052 Vault: Vault: Information disclosure via Server-Side Request Forgery in ACME challenge validation

Summary: CVE-2026-5052 Vault: Vault: Information disclosure via Server-Side Request Fo...

Keywords:
Status:	NEW
Alias:	CVE-2026-5052
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-17 04:01 UTC by OSIDB Bzimport
Modified:	2026-04-17 22:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-17 04:01:44 UTC

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Note You need to log in before you can comment on or make changes to this bug.