Vault fails to unseal after upgrading to Vault 1.16.23, 1.18.12, 1.19.7 or 1.20.1 or newer

Introduction

Problem

Vault fails to unseal after upgrading to Vault 1.16.23, 1.18.11, 1.19.7 or 1.20.1 or newer if Vault Audit File Device mode configuration parameter contains the executable bit.

The Vault Operational Log shows:

[ERROR] core: failed to create audit entry: path=file/ error="unable to create new audit backend: file mode may not be executable: 744"
[INFO]  core: pre-seal teardown starting
[DEBUG] rotation-job-manager: rotation entries collected: num_existing=0
[INFO]  core: stopping raft active node
[INFO]  core: stopping replication
[TRACE] core.snapshotmgr: shutting down automatic snapshots
[INFO]  core: closed sync connection
[TRACE] replication.perf.logshipper: interrupting streams
[TRACE] replication.perf.logshipper: done interrupting streams
[TRACE] replication.dr.logshipper: interrupting streams
[TRACE] replication.dr.logshipper: done interrupting streams
[INFO]  core: replication stopped
[DEBUG] audit: removing reload function: path=file/
[INFO]  core: shutting down census manager
[DEBUG] reporting: census manager is not active
[DEBUG] core: census manager shutdown complete
[DEBUG] expiration: stop triggered
[TRACE] expiration.job-manager: terminating job manager...
[TRACE] expiration.job-manager: terminating dispatcher
[DEBUG] expiration: finished stopping
[DEBUG] rotation-job-manager: stopping rotation manager
[TRACE] rotation-job-manager: terminating job manager...
[TRACE] rotation-job-manager: terminating dispatcher
[DEBUG] rotation-job-manager: finished stopping rotation manager
[INFO]  rollback: stopping rollback manager
[DEBUG] system.secrets_sync: stopping secrets sync reconciliation
[DEBUG] system.secrets_sync: stopping secrets sync queue
[TRACE] system: terminating job manager...
[TRACE] system: terminating dispatcher
[DEBUG] sealwrap: stopping upgrades
[DEBUG] core: set storage to read-write
[INFO]  core: pre-seal teardown complete
[ERROR] core: post-unseal setup failed: error="failed to setup audit table"

Prerequisites (if applicable)

• Vault Enterprise Vault 1.16.23, 1.18.12, 1.19.7 or 1.20.1 or newer
• Only one Vault Audit File Device is enabled and has the mode configuration parameter specified containing the execute bit.

Cause

• In Vault Enterprise 1.16.23, 1.18.12, 1.19.7 or 1.20.1 or newer the following issues have been addressed: 

  audit: privileged vault operator may execute code on the underlying host (CVE-2025-6000). Add additional verifications to the target of file audit sinks. [GH-31211,HCSEC-2025-14]
  
  Because of this the Vault Audit File Device mode configuration parameter is no longer allowed to contain the execute bit. 
  
  For example:

  vault audit enable file file_path=/opt/vault/vault-audit.log mode=744

  Please note the 7, this contains the execute bit.
  
  r (read): 4
  w (write): 2
  x (execute): 1
   

Overview of possible solutions (if applicable)

Solutions:

• Downgrade Vault to a version prior to 1.16.23, 1.18.12, 1.19.7 or 1.20.1 and disable or reconfigure the Audit File device without using the execute bit prior to re-attempting the Upgrade. 

  For example:
   

  vault audit disable file
  vault audit enable file file_path=/opt/vault/vault-audit.log mode=644

• Vault Recovery mode can be leveraged to delete the affected Audit Device, please engage HashiCorp Global support for further assistance and prior to attempting to execute the steps, as this involves both using recovery mode as well as performing a quorum recovery.

Additional Information

• Vault Documentation Recovery mode

• Vault Documentation File audit device

• Vault Documentation Recover from lost quorum

• KB Article Recovery Using Recovery Mode in HashiCorp Vault

• Changelog Vault Changelog