CVE-2022-40186 in Vault
Summary
by MITRE • 09/22/2022
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/28/2025
The vulnerability identified as CVE-2022-40186 represents a critical flaw in HashiCorp Vault's Identity Engine implementation that affects versions prior to 1.11.3. This issue stems from improper handling of entity alias management within the identity engine, specifically when entities possess multiple mount accessors that share identical alias names. The fundamental problem manifests in the system's inability to correctly associate metadata with the appropriate alias during entity operations, creating a potential vector for unauthorized access within the vault's key/value storage system.
The technical root cause of this vulnerability lies in the insufficient validation mechanisms within Vault's identity engine that govern how aliases are assigned and managed for entities. When multiple mount accessors exist with overlapping alias names, the system fails to properly distinguish between different alias contexts, leading to metadata being incorrectly associated with the wrong alias identifier. This misassignment occurs during entity operations where Vault attempts to resolve which alias should receive specific metadata updates, resulting in a scenario where legitimate users might gain access to resources they should not be authorized to reach. The flaw operates at the intersection of identity management and access control, where the system's logical checks for alias resolution are inadequate to prevent cross-contamination of metadata.
The operational impact of this vulnerability extends beyond simple access control bypasses, as it fundamentally undermines the integrity of Vault's identity-based access mechanisms. An attacker exploiting this vulnerability could potentially manipulate entity metadata to gain unauthorized access to sensitive key/value paths within the vault, particularly those protected by access controls that rely on entity alias information. This weakness affects deployments where complex identity configurations exist with multiple mount points sharing common alias structures, making it particularly relevant in enterprise environments where Vault is used to manage access across diverse organizational units or applications. The vulnerability's implications are amplified because it operates silently without clear audit trails, making detection difficult and potentially allowing prolonged unauthorized access to sensitive information assets.
Organizations should prioritize immediate remediation by upgrading to HashiCorp Vault version 1.11.3 or later, which includes the necessary patches addressing the alias resolution logic. Security teams should conduct thorough audits of their identity engine configurations to identify deployments with multiple mount accessors sharing alias names, as these configurations are most susceptible to exploitation. Additionally, implementing enhanced monitoring of entity metadata changes and access pattern analysis can help detect anomalous behavior that might indicate exploitation attempts. The vulnerability aligns with CWE-284 Access Control Issues and maps to ATT&CK technique T1552.001 for credentials from password storage, as it enables unauthorized access to protected key/value resources through manipulated identity metadata rather than traditional credential theft methods.