diff --git a/changelog/13476.txt b/changelog/13476.txt
new file mode 100644
index 0000000000000..d5b8af05729c6
--- /dev/null
+++ b/changelog/13476.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Address a data race condition between local updates to aliases and invalidations
+```
diff --git a/vault/identity_store.go b/vault/identity_store.go
index 7f93431604ea8..63b02d88aaa7d 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -750,7 +750,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.
 	}
 
 	// Check if an entity already exists for the given alias
-	entity, err = i.entityByAliasFactors(alias.MountAccessor, alias.Name, false)
+	entity, err = i.entityByAliasFactors(alias.MountAccessor, alias.Name, true)
 	if err != nil {
 		return nil, err
 	}
@@ -837,8 +837,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.
 	}
 
 	txn.Commit()
-
-	return entity, nil
+	return entity.Clone()
 }
 
 // changedAliasIndex searches an entity for changed alias metadata.
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
index 4bd9cf402b7d2..48716050ea86c 100644
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@@ -695,7 +695,7 @@ func (i *IdentityStore) processLocalAlias(ctx context.Context, lAlias *logical.A
 		return nil, fmt.Errorf("mount accessor %q is not local", lAlias.MountAccessor)
 	}
 
-	alias, err := i.MemDBAliasByFactors(lAlias.MountAccessor, lAlias.Name, true, false)
+	alias, err := i.MemDBAliasByFactors(lAlias.MountAccessor, lAlias.Name, false, false)
 	if err != nil {
 		return nil, err
 	}