Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    418 vulnerabilities by HashiCorp

    CVE-2026-14896 (GCVE-0-2026-14896)

    Vulnerability from nvd – Published: 2026-07-08 20:21 – Updated: 2026-07-08 20:21
    VLAI
    Title
    Nomad vulnerable to cross-namespace host volume claim deletion
    Summary
    HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by George Chen.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.8",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by George Chen."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:21:16.463Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-22-nomad-vulnerable-to-cross-namespace-host-volume-claim-deletion/77562"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-22",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to cross-namespace host volume claim deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14896",
        "datePublished": "2026-07-08T20:21:16.463Z",
        "dateReserved": "2026-07-06T18:35:49.618Z",
        "dateUpdated": "2026-07-08T20:21:16.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14891 (GCVE-0-2026-14891)

    Vulnerability from nvd – Published: 2026-07-08 20:09 – Updated: 2026-07-08 20:36
    VLAI
    Title
    Nomad vulnerable to sandbox escape in Docker task driver
    Summary
    HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14891",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T20:35:42.568630Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T20:36:00.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.8",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:09:05.752Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-21-nomad-vulnerable-to-sandbox-escape-in-docker-task-driver/77561"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-21",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to sandbox escape in Docker task driver"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14891",
        "datePublished": "2026-07-08T20:09:05.752Z",
        "dateReserved": "2026-07-06T18:05:48.932Z",
        "dateUpdated": "2026-07-08T20:36:00.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14373 (GCVE-0-2026-14373)

    Vulnerability from nvd – Published: 2026-07-08 17:29 – Updated: 2026-07-08 20:37
    VLAI
    Title
    Nomad Docker driver Linux host namespace bypass
    Summary
    HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Deniz Onur Duzgun (@dduzgun-security).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14373",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T20:37:33.792550Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T20:37:39.961Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.8",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Deniz Onur Duzgun (@dduzgun-security)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver\u0027s host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver\u0027s host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T17:29:30.614Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-19-nomad-docker-driver-vulnerable-to-host-namespace-bypass-on-linux/77557"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-19",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad Docker driver Linux host namespace bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14373",
        "datePublished": "2026-07-08T17:29:30.614Z",
        "dateReserved": "2026-07-01T20:10:53.797Z",
        "dateUpdated": "2026-07-08T20:37:39.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14361 (GCVE-0-2026-14361)

    Vulnerability from nvd – Published: 2026-07-08 20:11 – Updated: 2026-07-08 20:37
    VLAI
    Title
    Consul-template is vulnerable to path redirection in writeToFile through symlink attack
    Summary
    The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Tooling Affected: 0.1.0 , < 0.42.1 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T20:37:49.249358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T20:37:56.570Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Tooling",
              "repo": "https://github.com/hashicorp/consul-template",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.42.1",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:11:32.799Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-20-consul-template-vulnerable-to-path-redirections-in-writetofile/77559"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-20",
            "discovery": "EXTERNAL"
          },
          "title": "Consul-template is vulnerable to path redirection in writeToFile through symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14361",
        "datePublished": "2026-07-08T20:11:32.799Z",
        "dateReserved": "2026-07-01T19:00:00.428Z",
        "dateUpdated": "2026-07-08T20:37:56.570Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14362 (GCVE-0-2026-14362)

    Vulnerability from nvd – Published: 2026-07-08 17:14 – Updated: 2026-07-08 19:40
    VLAI
    Title
    Denial of service via crafted push/pull gossip message in memberlist
    Summary
    HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Shared library Affected: 0.1.5 , < 0.6.0 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Andy Gill of ZephrSec.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T18:29:53.691434Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T19:40:16.119Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Shared library",
              "repo": "https://github.com/hashicorp/memberlist",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.6.0",
                  "status": "affected",
                  "version": "0.1.5",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Andy Gill of ZephrSec."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-469",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-469: HTTP DoS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T17:14:18.218Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-18-memberlist-vulnerable-to-denial-of-service-via-gossip-message/77556"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-18",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of service via crafted push/pull gossip message in memberlist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14362",
        "datePublished": "2026-07-08T17:14:18.218Z",
        "dateReserved": "2026-07-01T19:07:40.964Z",
        "dateUpdated": "2026-07-08T19:40:16.119Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14468 (GCVE-0-2026-14468)

    Vulnerability from nvd – Published: 2026-07-06 20:59 – Updated: 2026-07-07 13:52
    VLAI
    Title
    Path traversal allows arbitrary file read in Terraform Enterprise container
    Summary
    HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Terraform Enterprise Affected: 1.0.0 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by the Terraform Enterprise engineering team.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14468",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T13:52:23.618304Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T13:52:51.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Terraform Enterprise",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.2.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by the Terraform Enterprise engineering team."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T20:59:47.011Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-17-terraform-enterprise-vulnerable-to-arbitrary-file-read/77549"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-17",
            "discovery": "INTERNAL"
          },
          "title": "Path traversal allows arbitrary file read in Terraform Enterprise container"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14468",
        "datePublished": "2026-07-06T20:59:47.011Z",
        "dateReserved": "2026-07-02T14:02:23.960Z",
        "dateUpdated": "2026-07-07T13:52:51.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5051 (GCVE-0-2026-5051)

    Vulnerability from nvd – Published: 2026-07-01 17:10 – Updated: 2026-07-01 17:54
    VLAI
    Title
    Audit Log Plugin Directory Guard Bypass via Legacy path Option
    Summary
    HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Vault Affected: 1.20.1 , < 2.0.1 (semver)
    Create a notification for this product.
    HashiCorp Vault Enterprise Affected: 1.19.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Credits
    This issue was identified and reported by Vipin Chaudhary.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5051",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T17:54:21.733151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T17:54:43.314Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.20.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.0.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.20.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.19.17",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.20.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.0.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified and reported by Vipin Chaudhary."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. \n\nThis vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. \n\nThis vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:10:56.918Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-16-vault-audit-device-plugin-directory-guard-bypass-via-legacy-path-option/77536"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-16",
            "discovery": "EXTERNAL"
          },
          "title": "Audit Log Plugin Directory Guard Bypass via Legacy path Option"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5051",
        "datePublished": "2026-07-01T17:10:56.918Z",
        "dateReserved": "2026-03-27T17:45:14.081Z",
        "dateUpdated": "2026-07-01T17:54:43.314Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8052 (GCVE-0-2026-8052)

    Vulnerability from nvd – Published: 2026-05-12 19:09 – Updated: 2026-05-12 20:22
    VLAI
    Title
    Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack
    Summary
    HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Shared library Affected: 0.1.0 , < 0.1.2 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8052",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T20:22:26.659986Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T20:22:44.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Shared library",
              "repo": "https://github.com/hashicorp/nomad-driver-exec2",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.1.2",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad\u2019s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad\u2019s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T19:09:15.248Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-13-nomads-exec2-task-driver-vulnerable-to-arbitrary-file-read-write-on-client-host-through-symlink-attack/77415"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-13",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad\u0027s exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-8052",
        "datePublished": "2026-05-12T19:09:15.248Z",
        "dateReserved": "2026-05-06T18:39:30.181Z",
        "dateUpdated": "2026-05-12T20:22:44.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7474 (GCVE-0-2026-7474)

    Vulnerability from nvd – Published: 2026-05-12 19:09 – Updated: 2026-05-13 03:58
    VLAI
    Title
    Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
    Summary
    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 1.10.0 , < 2.0.1 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 1.10.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7474",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T03:58:40.530Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.10.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.11.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T19:09:44.680Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-15-nomad-vulnerable-to-path-traversal-in-dynamic-host-volume-which-may-lead-to-code-execution/77417"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-15",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-7474",
        "datePublished": "2026-05-12T19:09:44.680Z",
        "dateReserved": "2026-04-29T21:07:13.054Z",
        "dateUpdated": "2026-05-13T03:58:40.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6959 (GCVE-0-2026-6959)

    Vulnerability from nvd – Published: 2026-05-12 18:59 – Updated: 2026-05-12 20:16
    VLAI
    Title
    Nomad vulnerable to arbitrary file read/write on client host through symlink attack
    Summary
    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.9.0 , < 2.0.1 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.9.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by Alex Manson (Aiven / NeuroWinter).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6959",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T20:14:14.584948Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T20:16:15.200Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.5",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by Alex Manson (Aiven / NeuroWinter)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T18:59:09.029Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-14-nomad-arbitrary-file-read-write-on-client-host-through-symlink-attack/77416"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-14",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to arbitrary file read/write on client host through symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-6959",
        "datePublished": "2026-05-12T18:59:09.029Z",
        "dateReserved": "2026-04-24T14:29:55.377Z",
        "dateUpdated": "2026-05-12T20:16:15.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5061 (GCVE-0-2026-5061)

    Vulnerability from nvd – Published: 2026-05-12 13:58 – Updated: 2026-05-12 15:43
    VLAI
    Title
    Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack
    Summary
    The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Tooling Affected: 0.1.0 , < 0.42.0 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5061",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T15:42:51.707805Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T15:43:01.985Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Tooling",
              "repo": "https://github.com/hashicorp/consul-template",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.42.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T13:58:20.409Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-12-consul-template-vulnerable-to-sandbox-path-bypass-in-file-helper-through-symlink-attack/77414"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-12",
            "discovery": "EXTERNAL"
          },
          "title": "Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5061",
        "datePublished": "2026-05-12T13:58:20.409Z",
        "dateReserved": "2026-03-27T18:27:28.875Z",
        "dateUpdated": "2026-05-12T15:43:01.985Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7776 (GCVE-0-2026-7776)

    Vulnerability from nvd – Published: 2026-05-04 21:34 – Updated: 2026-05-05 14:14
    VLAI
    Title
    Boundary Workers Vulnerable to Denial of Service During TLS Handshake
    Summary
    Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Boundary Affected: 0.9.0 , < 0.21.3 (semver)
    Create a notification for this product.
    HashiCorp Boundary Enterprise Affected: 0.9.0 , < 0.21.3 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by the Boundary Engineering team.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7776",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T13:20:57.356797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T14:14:05.799Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Boundary",
              "repo": "https://github.com/hashicorp/boundary",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.19.5",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.20.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.21.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.21.3",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Boundary Enterprise",
              "repo": "https://github.com/hashicorp/boundary",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.19.5",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.20.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.21.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.21.3",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by the Boundary Engineering team."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eBoundary Community Edition and Boundary Enterprise (\u201cBoundary\u201d) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "Boundary Community Edition and Boundary Enterprise (\u201cBoundary\u201d) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227: Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-04T21:36:18.758Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-11",
            "discovery": "INTERNAL"
          },
          "title": "Boundary Workers Vulnerable to Denial of Service During TLS Handshake"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-7776",
        "datePublished": "2026-05-04T21:34:10.975Z",
        "dateReserved": "2026-05-04T15:10:16.232Z",
        "dateUpdated": "2026-05-05T14:14:05.799Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5807 (GCVE-0-2026-5807)

    Vulnerability from nvd – Published: 2026-04-17 03:22 – Updated: 2026-06-30 12:11
    VLAI
    Title
    Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations
    Summary
    Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Credits
    This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5807",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T13:18:46.561122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T13:19:07.594Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-17T03:22:13.816Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vault. An unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations. This action occupies the single slot designated for in-progress operations, effectively preventing legitimate operators from completing critical administrative workflows. This vulnerability leads to a denial-of-service condition, impacting the availability of Vault\u0027s key management functions."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:11:12.664Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-5807"
              },
              {
                "name": "RHBZ#2459109",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459109"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5807.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-17T05:00:53.880Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-17T03:22:13.816Z",
                "value": "Made public."
              }
            ],
            "title": "Vault: Vault: Denial of Service via unauthenticated root token generation or rekey operations",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0.",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-125",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-125: Flooding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T17:57:55.504Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-08",
            "discovery": "EXTERNAL"
          },
          "title": "Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5807",
        "datePublished": "2026-04-17T03:22:13.816Z",
        "dateReserved": "2026-04-08T14:43:57.845Z",
        "dateUpdated": "2026-06-30T12:11:12.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5052 (GCVE-0-2026-5052)

    Vulnerability from nvd – Published: 2026-04-17 02:55 – Updated: 2026-04-17 17:57
    VLAI
    Title
    Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
    Summary
    Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Vault Affected: 1.15.0 , < 2.0.0 (semver)
    Create a notification for this product.
    HashiCorp Vault Enterprise Affected: 1.15.0 , < 2.0.0 (semver)
    Create a notification for this product.
    Credits
    This issue was independently identified and reported by Oleh Konko of 1seal, as well as Vipin Chaudhary.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5052",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T13:19:57.168697Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T13:20:07.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "1.15.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.19.16",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.20.10",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "1.15.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was independently identified and reported by Oleh Konko of 1seal, as well as Vipin Chaudhary."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "Vault\u2019s PKI engine\u2019s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-118",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-118: Collect and Analyze Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T17:57:55.377Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-06-vault-vulnerable-to-server-side-request-forgery-in-acme-challenge-validation-via-attacker-controlled-dns/77343"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-06",
            "discovery": "EXTERNAL"
          },
          "title": "Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5052",
        "datePublished": "2026-04-17T02:55:25.080Z",
        "dateReserved": "2026-03-27T17:50:20.727Z",
        "dateUpdated": "2026-04-17T17:57:55.377Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4525 (GCVE-0-2026-4525)

    Vulnerability from nvd – Published: 2026-04-17 03:00 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
    Summary
    If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    Impacted products
    Credits
    This issue was identified and reported by Oleh Konko of 1seal.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4525",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T13:19:26.452614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T13:19:32.463Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-17T03:00:47.561Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vault. When a Vault authentication mount is configured to pass through the \"Authorization\" header, and this header is used for authentication, Vault incorrectly forwards the sensitive Vault token to the authentication plugin backend. This can lead to the disclosure of authentication tokens to potentially untrusted or compromised backend plugins, enabling unauthorized access or further system compromise."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-201",
                    "description": "Insertion of Sensitive Information Into Sent Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:40.586Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-4525"
              },
              {
                "name": "RHBZ#2459107",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459107"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4525.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-17T04:01:24.934Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-17T03:00:47.561Z",
                "value": "Made public."
              }
            ],
            "title": "Vault: Vault: Information disclosure of authentication tokens via incorrect header handling",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0.11.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.19.16",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.20.10",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0.11.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified and reported by Oleh Konko of 1seal."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIf a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-118",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-118: Collect and Analyze Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T17:22:41.255Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-08",
            "discovery": "EXTERNAL"
          },
          "title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-4525",
        "datePublished": "2026-04-17T03:00:47.561Z",
        "dateReserved": "2026-03-20T17:47:40.835Z",
        "dateUpdated": "2026-06-30T12:10:40.586Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3605 (GCVE-0-2026-3605)

    Vulnerability from nvd – Published: 2026-04-17 02:44 – Updated: 2026-06-30 12:09
    VLAI
    Title
    Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
    Summary
    An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3605",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T13:20:23.015074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T13:20:28.557Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-17T02:44:42.032Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vault. An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This vulnerability can lead to a denial-of-service by allowing the deletion of critical data. It does not permit a malicious user to delete secrets across namespaces or read any secret data."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:24.426Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-3605"
              },
              {
                "name": "RHBZ#2459105",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459105"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3605.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-17T04:01:18.559Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-17T02:44:42.032Z",
                "value": "Made public."
              }
            ],
            "title": "Vault: Vault: Denial of Service due to unauthorized secret deletion via policy bypass",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0.10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.19.16",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.20.10",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T17:57:55.431Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-05",
            "discovery": "EXTERNAL"
          },
          "title": "Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-3605",
        "datePublished": "2026-04-17T02:44:42.032Z",
        "dateReserved": "2026-03-05T16:37:23.520Z",
        "dateUpdated": "2026-06-30T12:09:24.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14896 (GCVE-0-2026-14896)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:21 – Updated: 2026-07-08 20:21
    VLAI
    Title
    Nomad vulnerable to cross-namespace host volume claim deletion
    Summary
    HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by George Chen.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.8",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by George Chen."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:21:16.463Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-22-nomad-vulnerable-to-cross-namespace-host-volume-claim-deletion/77562"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-22",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to cross-namespace host volume claim deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14896",
        "datePublished": "2026-07-08T20:21:16.463Z",
        "dateReserved": "2026-07-06T18:35:49.618Z",
        "dateUpdated": "2026-07-08T20:21:16.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14361 (GCVE-0-2026-14361)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:11 – Updated: 2026-07-08 20:37
    VLAI
    Title
    Consul-template is vulnerable to path redirection in writeToFile through symlink attack
    Summary
    The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Tooling Affected: 0.1.0 , < 0.42.1 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T20:37:49.249358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T20:37:56.570Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Tooling",
              "repo": "https://github.com/hashicorp/consul-template",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.42.1",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:11:32.799Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-20-consul-template-vulnerable-to-path-redirections-in-writetofile/77559"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-20",
            "discovery": "EXTERNAL"
          },
          "title": "Consul-template is vulnerable to path redirection in writeToFile through symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14361",
        "datePublished": "2026-07-08T20:11:32.799Z",
        "dateReserved": "2026-07-01T19:00:00.428Z",
        "dateUpdated": "2026-07-08T20:37:56.570Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14891 (GCVE-0-2026-14891)

    Vulnerability from cvelistv5 – Published: 2026-07-08 20:09 – Updated: 2026-07-08 20:36
    VLAI
    Title
    Nomad vulnerable to sandbox escape in Docker task driver
    Summary
    HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14891",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T20:35:42.568630Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T20:36:00.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.8",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T20:09:05.752Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-21-nomad-vulnerable-to-sandbox-escape-in-docker-task-driver/77561"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-21",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to sandbox escape in Docker task driver"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14891",
        "datePublished": "2026-07-08T20:09:05.752Z",
        "dateReserved": "2026-07-06T18:05:48.932Z",
        "dateUpdated": "2026-07-08T20:36:00.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14373 (GCVE-0-2026-14373)

    Vulnerability from cvelistv5 – Published: 2026-07-08 17:29 – Updated: 2026-07-08 20:37
    VLAI
    Title
    Nomad Docker driver Linux host namespace bypass
    Summary
    HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.4.1 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Deniz Onur Duzgun (@dduzgun-security).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14373",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T20:37:33.792550Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T20:37:39.961Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.8",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "0.4.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Deniz Onur Duzgun (@dduzgun-security)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver\u0027s host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver\u0027s host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T17:29:30.614Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-19-nomad-docker-driver-vulnerable-to-host-namespace-bypass-on-linux/77557"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-19",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad Docker driver Linux host namespace bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14373",
        "datePublished": "2026-07-08T17:29:30.614Z",
        "dateReserved": "2026-07-01T20:10:53.797Z",
        "dateUpdated": "2026-07-08T20:37:39.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14362 (GCVE-0-2026-14362)

    Vulnerability from cvelistv5 – Published: 2026-07-08 17:14 – Updated: 2026-07-08 19:40
    VLAI
    Title
    Denial of service via crafted push/pull gossip message in memberlist
    Summary
    HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Shared library Affected: 0.1.5 , < 0.6.0 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Andy Gill of ZephrSec.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T18:29:53.691434Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T19:40:16.119Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Shared library",
              "repo": "https://github.com/hashicorp/memberlist",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.6.0",
                  "status": "affected",
                  "version": "0.1.5",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Andy Gill of ZephrSec."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-469",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-469: HTTP DoS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T17:14:18.218Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-18-memberlist-vulnerable-to-denial-of-service-via-gossip-message/77556"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-18",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of service via crafted push/pull gossip message in memberlist"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14362",
        "datePublished": "2026-07-08T17:14:18.218Z",
        "dateReserved": "2026-07-01T19:07:40.964Z",
        "dateUpdated": "2026-07-08T19:40:16.119Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14468 (GCVE-0-2026-14468)

    Vulnerability from cvelistv5 – Published: 2026-07-06 20:59 – Updated: 2026-07-07 13:52
    VLAI
    Title
    Path traversal allows arbitrary file read in Terraform Enterprise container
    Summary
    HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Terraform Enterprise Affected: 1.0.0 , < 2.0.4 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by the Terraform Enterprise engineering team.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14468",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T13:52:23.618304Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T13:52:51.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Terraform Enterprise",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.2.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.4",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by the Terraform Enterprise engineering team."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T20:59:47.011Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-17-terraform-enterprise-vulnerable-to-arbitrary-file-read/77549"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-17",
            "discovery": "INTERNAL"
          },
          "title": "Path traversal allows arbitrary file read in Terraform Enterprise container"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-14468",
        "datePublished": "2026-07-06T20:59:47.011Z",
        "dateReserved": "2026-07-02T14:02:23.960Z",
        "dateUpdated": "2026-07-07T13:52:51.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5051 (GCVE-0-2026-5051)

    Vulnerability from cvelistv5 – Published: 2026-07-01 17:10 – Updated: 2026-07-01 17:54
    VLAI
    Title
    Audit Log Plugin Directory Guard Bypass via Legacy path Option
    Summary
    HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Vault Affected: 1.20.1 , < 2.0.1 (semver)
    Create a notification for this product.
    HashiCorp Vault Enterprise Affected: 1.19.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Credits
    This issue was identified and reported by Vipin Chaudhary.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5051",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T17:54:21.733151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T17:54:43.314Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.20.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.0.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.20.1",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.19.17",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.20.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.0.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified and reported by Vipin Chaudhary."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. \n\nThis vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. \n\nThis vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:10:56.918Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-16-vault-audit-device-plugin-directory-guard-bypass-via-legacy-path-option/77536"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-16",
            "discovery": "EXTERNAL"
          },
          "title": "Audit Log Plugin Directory Guard Bypass via Legacy path Option"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5051",
        "datePublished": "2026-07-01T17:10:56.918Z",
        "dateReserved": "2026-03-27T17:45:14.081Z",
        "dateUpdated": "2026-07-01T17:54:43.314Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7474 (GCVE-0-2026-7474)

    Vulnerability from cvelistv5 – Published: 2026-05-12 19:09 – Updated: 2026-05-13 03:58
    VLAI
    Title
    Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
    Summary
    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 1.10.0 , < 2.0.1 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 1.10.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7474",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T03:58:40.530Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.10.11",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.11.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "1.10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T19:09:44.680Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-15-nomad-vulnerable-to-path-traversal-in-dynamic-host-volume-which-may-lead-to-code-execution/77417"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-15",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-7474",
        "datePublished": "2026-05-12T19:09:44.680Z",
        "dateReserved": "2026-04-29T21:07:13.054Z",
        "dateUpdated": "2026-05-13T03:58:40.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8052 (GCVE-0-2026-8052)

    Vulnerability from cvelistv5 – Published: 2026-05-12 19:09 – Updated: 2026-05-12 20:22
    VLAI
    Title
    Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack
    Summary
    HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Shared library Affected: 0.1.0 , < 0.1.2 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8052",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T20:22:26.659986Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T20:22:44.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Shared library",
              "repo": "https://github.com/hashicorp/nomad-driver-exec2",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.1.2",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad\u2019s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad\u2019s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T19:09:15.248Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-13-nomads-exec2-task-driver-vulnerable-to-arbitrary-file-read-write-on-client-host-through-symlink-attack/77415"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-13",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad\u0027s exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-8052",
        "datePublished": "2026-05-12T19:09:15.248Z",
        "dateReserved": "2026-05-06T18:39:30.181Z",
        "dateUpdated": "2026-05-12T20:22:44.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6959 (GCVE-0-2026-6959)

    Vulnerability from cvelistv5 – Published: 2026-05-12 18:59 – Updated: 2026-05-12 20:16
    VLAI
    Title
    Nomad vulnerable to arbitrary file read/write on client host through symlink attack
    Summary
    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Nomad Affected: 0.9.0 , < 2.0.1 (semver)
    Create a notification for this product.
    HashiCorp Nomad Enterprise Affected: 0.9.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by Alex Manson (Aiven / NeuroWinter).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6959",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T20:14:14.584948Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T20:16:15.200Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Nomad Enterprise",
              "repo": "https://github.com/hashicorp/nomad",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.11.5",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.10.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by Alex Manson (Aiven / NeuroWinter)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T18:59:09.029Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-14-nomad-arbitrary-file-read-write-on-client-host-through-symlink-attack/77416"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-14",
            "discovery": "EXTERNAL"
          },
          "title": "Nomad vulnerable to arbitrary file read/write on client host through symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-6959",
        "datePublished": "2026-05-12T18:59:09.029Z",
        "dateReserved": "2026-04-24T14:29:55.377Z",
        "dateUpdated": "2026-05-12T20:16:15.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5061 (GCVE-0-2026-5061)

    Vulnerability from cvelistv5 – Published: 2026-05-12 13:58 – Updated: 2026-05-12 15:43
    VLAI
    Title
    Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack
    Summary
    The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Tooling Affected: 0.1.0 , < 0.42.0 (semver)
    Create a notification for this product.
    Credits
    This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5061",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T15:42:51.707805Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T15:43:01.985Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Tooling",
              "repo": "https://github.com/hashicorp/consul-template",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.42.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-132",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-132: Symlink Attack"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T13:58:20.409Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-12-consul-template-vulnerable-to-sandbox-path-bypass-in-file-helper-through-symlink-attack/77414"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-12",
            "discovery": "EXTERNAL"
          },
          "title": "Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5061",
        "datePublished": "2026-05-12T13:58:20.409Z",
        "dateReserved": "2026-03-27T18:27:28.875Z",
        "dateUpdated": "2026-05-12T15:43:01.985Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7776 (GCVE-0-2026-7776)

    Vulnerability from cvelistv5 – Published: 2026-05-04 21:34 – Updated: 2026-05-05 14:14
    VLAI
    Title
    Boundary Workers Vulnerable to Denial of Service During TLS Handshake
    Summary
    Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Boundary Affected: 0.9.0 , < 0.21.3 (semver)
    Create a notification for this product.
    HashiCorp Boundary Enterprise Affected: 0.9.0 , < 0.21.3 (semver)
    Create a notification for this product.
    Credits
    This issue was identified by the Boundary Engineering team.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7776",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T13:20:57.356797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T14:14:05.799Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Boundary",
              "repo": "https://github.com/hashicorp/boundary",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.19.5",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.20.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.21.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.21.3",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Boundary Enterprise",
              "repo": "https://github.com/hashicorp/boundary",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.19.5",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.20.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "0.21.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.21.3",
                  "status": "affected",
                  "version": "0.9.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by the Boundary Engineering team."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eBoundary Community Edition and Boundary Enterprise (\u201cBoundary\u201d) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "Boundary Community Edition and Boundary Enterprise (\u201cBoundary\u201d) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227: Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-04T21:36:18.758Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-11",
            "discovery": "INTERNAL"
          },
          "title": "Boundary Workers Vulnerable to Denial of Service During TLS Handshake"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-7776",
        "datePublished": "2026-05-04T21:34:10.975Z",
        "dateReserved": "2026-05-04T15:10:16.232Z",
        "dateUpdated": "2026-05-05T14:14:05.799Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5807 (GCVE-0-2026-5807)

    Vulnerability from cvelistv5 – Published: 2026-04-17 03:22 – Updated: 2026-06-30 12:11
    VLAI
    Title
    Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations
    Summary
    Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Credits
    This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5807",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T13:18:46.561122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T13:19:07.594Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-17T03:22:13.816Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vault. An unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations. This action occupies the single slot designated for in-progress operations, effectively preventing legitimate operators from completing critical administrative workflows. This vulnerability leads to a denial-of-service condition, impacting the availability of Vault\u0027s key management functions."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:11:12.664Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-5807"
              },
              {
                "name": "RHBZ#2459109",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459109"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5807.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-17T05:00:53.880Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-17T03:22:13.816Z",
                "value": "Made public."
              }
            ],
            "title": "Vault: Vault: Denial of Service via unauthenticated root token generation or rekey operations",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0.",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-125",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-125: Flooding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T17:57:55.504Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-08-vault-vulnerable-to-denial-of-service-via-unauthenticated-root-token-generation-rekey-operations/77345"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-08",
            "discovery": "EXTERNAL"
          },
          "title": "Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-5807",
        "datePublished": "2026-04-17T03:22:13.816Z",
        "dateReserved": "2026-04-08T14:43:57.845Z",
        "dateUpdated": "2026-06-30T12:11:12.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4525 (GCVE-0-2026-4525)

    Vulnerability from cvelistv5 – Published: 2026-04-17 03:00 – Updated: 2026-06-30 12:10
    VLAI
    Title
    Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
    Summary
    If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    Impacted products
    Credits
    This issue was identified and reported by Oleh Konko of 1seal.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4525",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T13:19:26.452614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T13:19:32.463Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-17T03:00:47.561Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Vault. When a Vault authentication mount is configured to pass through the \"Authorization\" header, and this header is used for authentication, Vault incorrectly forwards the sensitive Vault token to the authentication plugin backend. This can lead to the disclosure of authentication tokens to potentially untrusted or compromised backend plugins, enabling unauthorized access or further system compromise."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-201",
                    "description": "Insertion of Sensitive Information Into Sent Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:10:40.586Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-4525"
              },
              {
                "name": "RHBZ#2459107",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459107"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4525.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-17T04:01:24.934Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-17T03:00:47.561Z",
                "value": "Made public."
              }
            ],
            "title": "Vault: Vault: Information disclosure of authentication tokens via incorrect header handling",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0.11.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Vault Enterprise",
              "repo": "https://github.com/hashicorp/vault",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.19.16",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.20.10",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.21.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "2.0.0",
                  "status": "affected",
                  "version": "0.11.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was identified and reported by Oleh Konko of 1seal."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIf a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "If a Vault auth mount is configured to pass through the \"Authorization\" header, and the \"Authorization\" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-118",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-118: Collect and Analyze Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T17:22:41.255Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2026-07-vault-may-expose-tokens-to-auth-plugins-due-to-incorrect-header-sanitization/77344"
            }
          ],
          "source": {
            "advisory": "HCSEC-2026-08",
            "discovery": "EXTERNAL"
          },
          "title": "Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2026-4525",
        "datePublished": "2026-04-17T03:00:47.561Z",
        "dateReserved": "2026-03-20T17:47:40.835Z",
        "dateUpdated": "2026-06-30T12:10:40.586Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }