Vaulted Severance: Turning Audit Logs into Remote Shells
Jan 1, 2026·5 min read·3 visits
Executive Summary (TL;DR)
If you have a root token (or 'sys/audit' write privs) in Vault, you can trick the audit logger into writing a binary payload to the plugin directory and executing it. This breaks the boundary between the Vault application and the underlying host OS, allowing a complete container escape or host compromise.
A critical privilege escalation vulnerability in HashiCorp Vault allows privileged operators to achieve Remote Code Execution (RCE) on the host system. By abusing the File Audit Device and Plugin System, an attacker can write executable audit logs to the plugin directory and execute them.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Vault HashiCorp | >= 0.8.0, < 1.16.23 | 1.16.23 |
Vault HashiCorp | >= 1.17.0, < 1.18.12 | 1.18.12 |
Vault HashiCorp | >= 1.19.0, < 1.19.7 | 1.19.7 |
Vault HashiCorp | >= 1.20.0, < 1.20.1 | 1.20.1 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Authenticated) |
| CVSS v3.1 | 7.2 (High) |
| CWE | CWE-73 (External Control of File Name or Path) |
| Privileges Required | High (Audit Write) |
| Exploit Status | PoC Available / Weaponized |
| Impact | Remote Code Execution (RCE) |
MITRE ATT&CK Mapping
The software allows user input to control or influence paths used in filesystem operations, allowing attackers to access or modify unintended files.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.