The vulnerability CVE-2026-5052 in HashiCorp Vault involves the PKI engine's ACME validation process failing to reject local network targets when issuing http-01 and tls-alpn-01 challenges. This flaw enables SSRF attacks where the Vault server may send requests to internal network addresses, potentially disclosing sensitive information. The issue affects Vault version 1.15.0 and was addressed in subsequent releases including Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. The CVSS 3.1 base score is 5.3, reflecting a medium severity impact with network attack vector, low complexity, no privileges required, no user interaction, and limited confidentiality impact without integrity or availability impact.

Successful exploitation can lead to information disclosure by allowing the Vault server to make unauthorized requests to local network targets during ACME challenge validation. There is no reported impact on integrity or availability. No known exploits are currently observed in the wild.

Fixed versions of HashiCorp Vault are available: Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Users should upgrade to one of these versions to remediate the vulnerability. Patch status is inferred from the fixed versions listed; no explicit vendor advisory text is provided. Until upgraded, users should consider restricting network access to Vault's ACME validation endpoints to prevent SSRF exploitation.