CVE-2022-40186: n/a in n/a
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.
AI Analysis
Technical Summary
CVE-2022-40186 is a critical vulnerability identified in HashiCorp Vault and Vault Enterprise versions prior to 1.11.3. The flaw resides within the Identity Engine component of Vault, specifically in scenarios where an entity is associated with multiple mount accessors that share alias names. Due to improper validation and checking of the correct alias assigned to an entity, Vault may inadvertently overwrite metadata to an incorrect alias. This metadata misassignment can lead to unauthorized access to key/value paths that should otherwise be restricted. Essentially, the vulnerability arises from a logic error in handling entity aliases, which are used to map identities to access permissions within Vault. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS v3.1 score of 9.1, indicating a critical severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making exploitation feasible remotely without authentication. The impact includes full confidentiality and integrity compromise of sensitive secrets stored in Vault, although availability is not affected. No known exploits in the wild have been reported as of the publication date, but the high severity and ease of exploitation make this a significant risk for organizations relying on Vault for secret management. The vulnerability underscores the importance of correct alias handling in identity and access management systems, especially in complex deployments with multiple mount points and shared alias names.
Potential Impact
For European organizations, the impact of CVE-2022-40186 can be severe due to the widespread adoption of HashiCorp Vault as a secrets management solution in cloud-native and enterprise environments. Unauthorized access to key/value paths could lead to exposure of critical credentials, API keys, certificates, and other sensitive data, potentially enabling further lateral movement, data breaches, or compromise of critical infrastructure. Given the criticality of Vault in securing secrets for applications, infrastructure, and DevOps pipelines, exploitation could disrupt business operations and violate data protection regulations such as GDPR if personal or sensitive data is exposed. The lack of required authentication and user interaction increases the risk of automated or remote exploitation by threat actors. European organizations operating in regulated sectors such as finance, healthcare, and government are particularly at risk due to the sensitivity of the data protected by Vault. Additionally, the vulnerability could undermine trust in identity and access management controls, complicating compliance and audit efforts.
Mitigation Recommendations
Organizations should prioritize upgrading HashiCorp Vault and Vault Enterprise to version 1.11.3 or later, where this vulnerability has been addressed. Until patching is possible, administrators should audit their Vault deployments for entities with multiple mount accessors sharing alias names and consider restructuring these to avoid alias name collisions. Implement strict access controls and monitoring on Vault audit logs to detect unusual access patterns or metadata changes. Employ network segmentation and firewall rules to restrict access to Vault instances to trusted hosts and networks only. Additionally, review and tighten identity and alias management policies to minimize complexity and reduce the risk of alias misassignment. Regularly validate the integrity of metadata associated with entities and aliases. Finally, incorporate Vault security into incident response plans to quickly respond to any suspected exploitation attempts.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Switzerland, Belgium
CVE-2022-40186: n/a in n/a
Description
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.
AI-Powered Analysis
Technical Analysis
CVE-2022-40186 is a critical vulnerability identified in HashiCorp Vault and Vault Enterprise versions prior to 1.11.3. The flaw resides within the Identity Engine component of Vault, specifically in scenarios where an entity is associated with multiple mount accessors that share alias names. Due to improper validation and checking of the correct alias assigned to an entity, Vault may inadvertently overwrite metadata to an incorrect alias. This metadata misassignment can lead to unauthorized access to key/value paths that should otherwise be restricted. Essentially, the vulnerability arises from a logic error in handling entity aliases, which are used to map identities to access permissions within Vault. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS v3.1 score of 9.1, indicating a critical severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making exploitation feasible remotely without authentication. The impact includes full confidentiality and integrity compromise of sensitive secrets stored in Vault, although availability is not affected. No known exploits in the wild have been reported as of the publication date, but the high severity and ease of exploitation make this a significant risk for organizations relying on Vault for secret management. The vulnerability underscores the importance of correct alias handling in identity and access management systems, especially in complex deployments with multiple mount points and shared alias names.
Potential Impact
For European organizations, the impact of CVE-2022-40186 can be severe due to the widespread adoption of HashiCorp Vault as a secrets management solution in cloud-native and enterprise environments. Unauthorized access to key/value paths could lead to exposure of critical credentials, API keys, certificates, and other sensitive data, potentially enabling further lateral movement, data breaches, or compromise of critical infrastructure. Given the criticality of Vault in securing secrets for applications, infrastructure, and DevOps pipelines, exploitation could disrupt business operations and violate data protection regulations such as GDPR if personal or sensitive data is exposed. The lack of required authentication and user interaction increases the risk of automated or remote exploitation by threat actors. European organizations operating in regulated sectors such as finance, healthcare, and government are particularly at risk due to the sensitivity of the data protected by Vault. Additionally, the vulnerability could undermine trust in identity and access management controls, complicating compliance and audit efforts.
Mitigation Recommendations
Organizations should prioritize upgrading HashiCorp Vault and Vault Enterprise to version 1.11.3 or later, where this vulnerability has been addressed. Until patching is possible, administrators should audit their Vault deployments for entities with multiple mount accessors sharing alias names and consider restructuring these to avoid alias name collisions. Implement strict access controls and monitoring on Vault audit logs to detect unusual access patterns or metadata changes. Employ network segmentation and firewall rules to restrict access to Vault instances to trusted hosts and networks only. Additionally, review and tighten identity and alias management policies to minimize complexity and reduce the risk of alias misassignment. Regularly validate the integrity of metadata associated with entities and aliases. Finally, incorporate Vault security into incident response plans to quickly respond to any suspected exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-09-08T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68360472182aa0cae21ef7a6
Added to database: 5/27/2025, 6:29:06 PM
Last enriched: 7/6/2025, 2:55:05 AM
Last updated: 8/15/2025, 8:16:19 AM
Views: 9
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.