Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability CVE-2026-7474 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11. Nomad’s Dynamic Host Volumes feature allows the cluster admin to allow authorized...

Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This...

Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization

If a Vault auth mount is configured to pass through the “Authorization” header, and the “Authorization” header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. This issue, CVE-2026-4525, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise...

Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method

Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. Thi...

Consul's event endpoint is vulnerable to denial of service

Consul and Consul Enterprise’s “Consul” event endpoint is vulnerable to denial of service DoS due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12. Consul...

Vault User Enumeration in Userpass Auth Method

Vault Community and Vault Enterprise’s “Vault” userpass method is affected by a user enumeration vulnerability. This may allow an attacker to enumerate valid usernames on this auth method through brute force or a list of known usernames. CVE-2025-6010 was reserved by HashiCorp to track this issue...

Vault TOTP Secrets Engine Code Reuse

Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. This vulnerability, identified as CVE-2025-6014, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Vault’s...

Nomad Enterprise Vulnerable To Violation Of Mandatory Sentinel Policies in Job Submissions via Policy Override

Nomad Enterprise “Nomad” jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13. Nomad Enterprise uses Sentinel to augment the built-in ACL system to provide...

Nomad arbitrary file read/write on client host through symlink attack

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-6959 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11. Nomad workloads are run by task drivers that...

Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. This vulnerability, CVE-2026-5052, is fixed in Vault Community...

Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret...

Go-getter may allow to arbitrary filesystem reads through git operations

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package...

Consul Vulnerable to Arbitrary File Reads Through the Vault Kubernetes Authentication Provider

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5. The Consul kubernetes auth method type allows for a...

Arbitrary code execution in React server-side rendering of untrusted MDX content

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0. next-mdx-remote is an open-source TypeScript library that allows MDX conte...

Terraform Enterprise state versions can be created by users without sufficient write access

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or is auto-applied. This vulnerabilit...

Consul's KV endpoint is vulnerable to denial of service

Consul and Consul Enterprise’s “Consul” key/value endpoint is vulnerable to denial of service DoS due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12. Consul’s K...

Vault Vulnerable to Denial of Service Due to Rate Limit Regression

Vault and Vault Enterprise “Vault” are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for HCSEC-2025-24 which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044...

HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack

HashiCorp’s go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. HashiCorp’s go-getter is a library for Go for...

Vault LDAP MFA Enforcement Bypass When Using Username As Alias

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. This vulnerability, CVE-2025-6013, is fixed in Vault Community Edition 1.20.2 and Vault...

Vault Login MFA Bypass of Rate Limiting and TOTP Token Reuse

Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. This vulnerability, CVE-2025-6015, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Vault’s login MFA is the underlying identity syste...

Vault Userpass and LDAP User Lockout Bypass

Vault and Vault Enterprise’s “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. This vulnerability, identified as CVE-2025-6004, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Vault’s user lockout...

Privileged Vault Operator May Execute Code on the Underlying Host

A privileged Vault operator within the root namespace with write permission to sys/audit may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. This vulnerability, identified as CVE-2025-6000, is fixed in Vault Community Edition 1.20.1 and Vault...

Vault May Expose Sensitive Information in Error Logs When Processing Malformed Data With the KV v2 Plugin

Vault Community and Vault Enterprise Key/Value kv Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is...

Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login

Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. This vulnerability, identified as CVE-2025-3879, is fixed in Vault Community Edition 1.19.1 and...

Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-8052 is fixed in version 0.1.2 of the exec2 task driver. Nomad workloads are run by task drivers tha...

Consul-template vulnerable to sandbox path bypass in file helper through symlink attack

The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability CVE-2026-5061 is fixed in consul-template 0.42.0. The file template function reads a local file from disk and...

Boundary Workers Vulnerable to Denial of Service During TLS Handshake

Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

Incomplete Fix For Previous Vault DoS Issue

A fix for a previous security issue impacting HashiCorp Vault HCSEC-2025-24 / CVE-2025-6203 was incomplete, and did not fully address the vulnerability. The fix was corrected in Vault versions 1.21.0, 1.20.5, 1.19.11, and 1.16.27. The CVE advisory and security bulletin have been updated to reflec...

Vault AWS Auth Method Authentication Bypass Through Mishandling of Cache Entries

Vault and Vault Enterprise’s “Vault” AWS Auth method may be susceptible to authentication bypass if the role of the configured boundprincipaliam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise...

Vault Denial of Service Though Complex JSON Payloads

A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become...

Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates

Vault and Vault Enterprise “Vault” TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate . In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate anothe...

Timing Side-Channel in Vault’s Userpass Auth Method

A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s userpass auth method. This vulnerability, identified as CVE-2025-6011, is fixed in...

Vault Root Namespace Operator May Elevate Token Privileges

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. This vulnerability, identified as CVE-2025-5999, is fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0,...

HCSEC-2025-11 Vault Vulnerable to Recovery Key Cancellation Denial of Service

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability CVE-2025-4656 has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17...

Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job

Nomad Community and Nomad Enterprise “Nomad” prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14. Nomad provides an optional...

Terraform Enterprise’s Single Sign-On and Ruby SAML’s CVE-2025-25291 and CVE-2025-25292

Terraform Enterprise’s single sign-on functionality is implemented using the Ruby SAML library, which disclosed two authentication bypass vulnerabilities exploitable by an XML signature wrapping attack. The vulnerabilities, CVE-2025-25291 and CVE-2025-25292, were addressed by an upgrade of the Ru...