CVE-2025-6004

MEDIUM5.3EPSS 0.11%

Hashicorp Vault has Lockout Feature Authentication Bypass

Published: 8/1/2025Modified: 2/4/2026

Description

Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Affected packages (3)

Bitnami/vault>= 1.13.0, < 1.20.1
Go/github.com/hashicorp/vault>= 1.13.0, < 1.20.1
Go/github.com/hashicorp/vault>= 1.13.0, < 1.20.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYhttps://github.com/advisories/GHSA-qgj7-fmq2-6cc4
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-6004
PATCHhttps://github.com/hashicorp/vault
WEBhttps://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035