From 0fe7702c627e607799af1a2b4abe07ea55ae1e74 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Thu, 11 Sep 2025 12:08:22 -0600
Subject: [PATCH] VAULT-39368 fix version not being populated for some KV
 mounts in events/observations (#9270) (#9278)

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
---
 vault/auth.go  |  5 +++--
 vault/mount.go | 11 +++++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/vault/auth.go b/vault/auth.go
index 0cb1393adb..4276ca9cd0 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -1037,6 +1037,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
 
 	conf["plugin_type"] = consts.PluginTypeCredential.String()
 	conf["plugin_version"] = pluginVersion
+	pluginOptionsVersion := entry.Options["version"]
 
 	authLogger := c.baseLogger.Named(fmt.Sprintf("auth.%s.%s", t, entry.Accessor))
 	c.AddLogger(authLogger)
@@ -1046,7 +1047,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
 		MountPath:     entry.Path,
 		Plugin:        entry.Type,
 		PluginVersion: pluginVersion,
-		Version:       entry.Options["version"],
+		Version:       pluginOptionsVersion,
 	})
 	if err != nil {
 		return nil, err
@@ -1064,7 +1065,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
 		Plugin:               entry.Type,
 		PluginVersion:        pluginVersion,
 		RunningPluginVersion: pluginRunningVersion,
-		Version:              entry.Options["version"],
+		Version:              pluginOptionsVersion,
 		Local:                entry.Local,
 	})
 	if err != nil {
diff --git a/vault/mount.go b/vault/mount.go
index 93780b82f5..e06c95f9df 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -20,6 +20,7 @@ import (
 	"github.com/hashicorp/vault/builtin/plugin"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/pluginconsts"
 	"github.com/hashicorp/vault/helper/versions"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
@@ -1775,6 +1776,12 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
 	conf["plugin_type"] = consts.PluginTypeSecrets.String()
 	conf["plugin_version"] = pluginVersion
 
+	pluginOptionsVersion := entry.Options["version"]
+	// If Version isn't specified for a KV mount, it must be version 1.
+	if pluginOptionsVersion == "" && entry.Type == pluginconsts.SecretEngineKV {
+		pluginOptionsVersion = "1"
+	}
+
 	backendLogger := c.baseLogger.Named(fmt.Sprintf("secrets.%s.%s", t, entry.Accessor))
 	c.AddLogger(backendLogger)
 	pluginEventSender, err := c.events.WithPlugin(entry.namespace, &logical.EventPluginInfo{
@@ -1783,7 +1790,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
 		MountPath:     entry.Path,
 		Plugin:        entry.Type,
 		PluginVersion: pluginVersion,
-		Version:       entry.Options["version"],
+		Version:       pluginOptionsVersion,
 	})
 	if err != nil {
 		return nil, err
@@ -1801,7 +1808,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
 		Plugin:               entry.Type,
 		PluginVersion:        pluginVersion,
 		RunningPluginVersion: pluginRunningVersion,
-		Version:              entry.Options["version"],
+		Version:              pluginOptionsVersion,
 		Local:                entry.Local,
 	})
 	if err != nil {