HashiCorp Vault MCP Server
Official HashiCorp MCP server for reading, writing, and listing secrets and managing mounts in HashiCorp Vault.
🛡️ AgentReady threat assessment
MAESTRO 7-layer threat model + OWASP AIVSS risk score for HashiCorp Vault MCP Server, derived from its capabilities.
AIVSS 8.1 · High
View MAESTRO 7-layer threat model →Overview
HashiCorp's official Vault MCP server lets MCP clients list, read, and write KV secrets and create mounts in Vault over stdio or StreamableHTTP transports. It is intended for local use, and the docs warn to set MCP_ALLOWED_ORIGINS to prevent DNS-rebinding when using HTTP. Because it can read live secrets, it is one of the highest-sensitivity MCP surfaces and demands tight scoping.
Key features
- List/read/write KV secrets
- Create Vault mounts
- stdio and StreamableHTTP transports
Use cases
- Let an agent fetch a scoped secret at runtime
- Manage Vault mounts conversationally