Hashicorp Vault

by HashiCorp, Inc.v2.0.2

Last updated Jun 8, 2026

Vault is a tool for securely accessing secrets.

Install with winget

$ winget install --id Hashicorp.Vault --exact --version 2.0.2

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

Vault is a tool for securely accessing secrets. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

Installers · v2.0.2

Architecture	Type	Scope	Install	Download
x86	ZIP archive	-		Direct
x64	ZIP archive	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

high7.5Patched in wingetCVE-2026-5807affects before 2.0.0Apr 16, 2026
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows...
Vendor advisory
medium5.3Patched in wingetCVE-2026-5052affects before 1.19.16, 1.20.10, 1.21.5, 2.0.0Apr 16, 2026
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault...
Vendor advisory
high7.5Patched in wingetCVE-2026-4525affects before 1.19.16, 1.20.10, 1.21.5, 2.0.0Apr 16, 2026
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
Vendor advisory
high8.1Patched in wingetCVE-2026-3605affects before 1.19.16, 1.20.10, 1.21.5, 2.0.0Apr 16, 2026
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor...
Vendor advisory
high7.5Patched in wingetCVE-2025-12044affects before 1.16.27, 1.20.5, 1.21.0Oct 23, 2025
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-comple...
Vendor advisory
high8.1Patched in wingetCVE-2025-11621affects before 1.16.27, 1.19.11, 1.20.5, 1.21.0Oct 23, 2025
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21....
Vendor advisory
high7.5Patched in wingetCVE-2025-6203affects before 1.16.27, 1.18.15, 1.19.11, +2 moreAug 28, 2025
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault serve...
Vendor advisory
medium6.5Patched in wingetCVE-2025-6013affects before 1.16.24, 1.18.13, 1.19.8, 1.20.2Aug 6, 2025
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1...
Vendor advisory

Showing 8 of 25. Source: NVD, updated 2h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

TalismanThoughtworks
Thoughtworks.Talismanv1.37.0
A tool to detect and prevent secrets from getting checked in.
CryptrJacob Crowther
Adobe.Cryptrv0.6.0
A GUI for Vault
Keeper CommanderKeeper Security, Inc.
KeeperSecurity.Commanderv18.0.7
Keeper Commander is a python-based CLI and SDK interface to the Keeper Security platform. Provides administrative controls, reporting, import/export and vault management.
Advanced Archive Password RecoveryElcomsoft Co. Ltd.
Elcomsoft.ArchivePasswordv4.66.266.6965
Break into password-protected ZIP, 7Zip and RAR archives. Thorough low-level optimization help finish the job faster.
Dashlane CLIDashlane, Inc.
Dashlane.CLIv6.2614.0
Command line interface for Dashlane. Access your secrets in your terminal, servers and CI/CD.
P
puffMarcin Jahn
marcinjahn.puffv1.1.1
Puff is a CLI tool that manages private configuration files of your dev projects

More from HashiCorp, Inc. or browse api-keys, hashicorp, passwords.

Frequently asked questions

How do I install Hashicorp Vault on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id Hashicorp.Vault --exact --version 2.0.2. winget downloads the installer from HashiCorp, Inc. and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Hashicorp Vault silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id Hashicorp.Vault --exact 2.0.2 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall Hashicorp Vault via winget?

Run: winget uninstall --id Hashicorp.Vault --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Hashicorp Vault's Apps & Features entry.

Is Hashicorp Vault free?

Hashicorp Vault is distributed under BUSL-1.1. Refer to the publisher (https://developer.hashicorp.com/vault) for the full license terms - Wingetly itself does not charge for installation.

Does Hashicorp Vault work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Hashicorp Vault directly from the publisher.

How do I keep Hashicorp Vault up to date?

Run winget upgrade --id Hashicorp.Vault --exact, or winget upgrade --all to update everything winget tracks. We index 10 versions of Hashicorp Vault from microsoft/winget-pkgs.

Recent versions

2.0.2latest
2.0.0
1.21.4
1.21.3
1.21.2
1.21.1
1.20.3
1.20.2
1.20.1
1.20.0