Add clarity to breaking change impact (#835)

mladlow · schavis · web-flow · commit e0f805840ce8 · 2025-08-20T16:17:42.000-07:00
* Add clarity to breaking change impact * Update content/vault/global/partials/important-changes/breaking-changes/cve-2025-6000.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
diff --git a/content/vault/global/partials/important-changes/breaking-changes/cve-2025-6000.mdx b/content/vault/global/partials/important-changes/breaking-changes/cve-2025-6000.mdx
@@ -5,15 +5,24 @@
 | Breaking     | 1.20.1+, 1.19.7+, 1.18.12+, 1.16.23+ | All
 
 File audit devices require explicit configuration for prefixing and cannot use
-executable file permissions.  You must set `allow_audit_log_prefixing` to `true`
-in your server configuration to enable `file` audit devices with the `prefix`
-option. Additionally, `file` audit devices cannot use file modes with executable
-permissions (e.g., 0777, 0755).
+executable file permissions.
+
+Vault will not unseal on upgrade if your only configured audit device is a
+`file` device with the executable
+[mode](/vault/docs/commands/audit/enable#command-arguments) set.
+
+Vault `file` audit devices cannot use file modes with executable permissions
+(e.g., 0777, 0755), and should be configured with `0644` permissions
+(or similar).
+
+Additionally, to enable `file` audit devices with the `prefix` option, you must
+set `allow_audit_log_prefixing` to `true` in your server configuration on each
+node in your cluster.
 
 #### Recommendation
 
 If you use `file` audit devices:
 
 1. Add `allow_audit_log_prefixing = true` to your Vault server configuration if
    you want to use the `prefix` option.
-1. Use non-executable file modes (e.g., 0644, 0666) for log files.
+1. Use non-executable file modes (e.g., 0644, 0666) for log files.
