Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2car-wc6d-p3a2
Vulnerability ID VCID-2car-wc6d-p3a2
Aliases CVE-2021-32923
GHSA-38j9-7pp9-2hjw
Summary Invalid session token expiration HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-613 Insufficient Session Expiration
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32923.json
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
epss 0.00654 https://api.first.org/data/v1/epss?cve=CVE-2021-32923
cvssv3.1 7.4 https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
generic_textual HIGH https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
cvssv3.1 7.4 https://nvd.nist.gov/vuln/detail/CVE-2021-32923
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-32923
archlinux Medium https://security.archlinux.org/AVG-2029
cvssv3.1 7.4 https://security.gentoo.org/glsa/202207-01
generic_textual HIGH https://security.gentoo.org/glsa/202207-01
cvssv3.1 7.4 https://www.hashicorp.com/blog/category/vault
generic_textual HIGH https://www.hashicorp.com/blog/category/vault
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32923.json
https://api.first.org/data/v1/epss?cve=CVE-2021-32923
https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
https://nvd.nist.gov/vuln/detail/CVE-2021-32923
https://security.gentoo.org/glsa/202207-01
https://www.hashicorp.com/blog/category/vault
1968032 https://bugzilla.redhat.com/show_bug.cgi?id=1968032
AVG-2029 https://security.archlinux.org/AVG-2029
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32923.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32923
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://security.gentoo.org/glsa/202207-01
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.hashicorp.com/blog/category/vault
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.70848
EPSS Score 0.00654
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:02:19.655149+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-38j9-7pp9-2hjw/GHSA-38j9-7pp9-2hjw.json 38.0.0