diff --git a/changelog/unreleased/kong/fix-vault-workspaces.yml b/changelog/unreleased/kong/fix-vault-workspaces.yml
new file mode 100644
index 000000000000..c381ebcda877
--- /dev/null
+++ b/changelog/unreleased/kong/fix-vault-workspaces.yml
@@ -0,0 +1,3 @@
+message: "**Vault**: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix"
+type: bugfix
+scope: Core
diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua
index 442d7c6d8398..2666c925f5dc 100644
--- a/kong/pdk/vault.lua
+++ b/kong/pdk/vault.lua
@@ -60,6 +60,9 @@ local COLON = byte(":")
 local SLASH = byte("/")
 
 
+local VAULT_QUERY_OPTS = { workspace = ngx.null }
+
+
 ---
 -- Checks if the passed in reference looks like a reference.
 -- Valid references start with '{vault://' and end with '}'.
@@ -606,10 +609,10 @@ local function new(self)
 
     if cache then
       local vault_cache_key = vaults:cache_key(prefix)
-      vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix)
+      vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix, VAULT_QUERY_OPTS)
 
     else
-      vault, err = vaults:select_by_prefix(prefix)
+      vault, err = vaults:select_by_prefix(prefix, VAULT_QUERY_OPTS)
     end
 
     if not vault then