GHSA-7cgv-v83v-rr87 · Severity: critical · Ecosystem: go — HashiCorp Vault vulnerable to incorrect metadata access
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.
Conclusion & alert: CVE-2022-40186 is rated Moderate Risk (54.4/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.76%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.34% | 0.76% | +0.43% |
| 2 | 2026-04-28 | 0.35% | 0.34% | -0.01% |
| 3 | 2026-04-27 | — | 0.35% | — |
Full EPSS history (25 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.1 | 3.1 | CRITICAL |
|
3.9 | 5.2 | [email protected] |
| 9.1 | 3.1 | CRITICAL |
|
3.9 | 5.2 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-7cgv-v83v-rr87 · Severity: critical · Ecosystem: go — HashiCorp Vault vulnerable to incorrect metadata access
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2022-40186: 1 source package rows (vault); 1 state rows across 1 repos (edge-community); fixed 0, open 1. | https://security.alpinelinux.org/vuln/CVE-2022-40186 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2022-40186 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| hashicorp | vault | >= 1.8.0, < 1.9.9 | cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* |
| hashicorp | vault | >= 1.8.0, < 1.9.9 | cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* |
| hashicorp | vault | >= 1.10.0, < 1.10.6 | cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* |
| hashicorp | vault | >= 1.10.0, < 1.10.6 | cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* |
| hashicorp | vault | >= 1.11.0, < 1.11.3 | cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* |
| hashicorp | vault | >= 1.11.0, < 1.11.3 | cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* |
| URL | Tags |
|---|---|
| https://discuss.hashicorp.com | Vendor Advisory |
| https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550 | Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20221111-0008/ | Third Party Advisory |