189 matches found
Vault Audit Device Plugin Directory Guard Bypass via Legacy Path Option
Summary HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability CVE-2026-5051 is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17. Background Vault...
Boundary Controller Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service
Summary Boundary Community Edition and Boundary Enterprise “Boundary” incorrectly handles HTTP requests during the initialization of the Boundary controller, potentially causing the Boundary server to terminate prematurely or allow an attacker to perform a denial of service attack. Boundary is on...
Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack
Summary HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-8052 is fixed in version 0.1.2 of the exec2 task driver. Background Nomad workloads are run ...
Consul UI Development Workflows Vulnerable to Dependency Confusion
Summary HashiCorp Consul and Consul Enterprise development workflows for releases from 1.12.0 up to 1.17.6, 1.18.2, and 1.19.0 were vulnerable to frontend dependency confusion which exclusively impacted development environments. This vulnerability was fixed in Consul development workflows for...
Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method
Summary Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication...
Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
Summary HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability CVE-2026-7474 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11. Background Nomad’s Dynamic Host Volumes feature allows the cluster admin t...
Consul-template vulnerable to path redirections in writeToFile
Summary The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability CVE-2026-14361 is fixed in...
Vault Login MFA Bypass of Rate Limiting and TOTP Token Reuse
Summary Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. This vulnerability, CVE-2025-6015, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Background Vault’s login MFA is the...
Vagrant VMware Utility installation files vulnerable to modification by unprivileged user
Summary The Vagrant VMware Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMware Utility 1.0.23...
Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
Summary Vault and Vault Enterprise did not properly validate the JSON Web Token JWT role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT with audience and role-bound claims that do not match, allowing an invalid login to succeed when it...
Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-Based Encryption Mechanism with a HSM
Summary A vulnerability was identified for specific Vault Enterprise “Vault” HSM integration configurations in which a padding oracle attack may be possible, due to Vault not properly applying an HMAC to messages sent from the HSM when using a CBC-based encryption mechanism. An attacker with...
Nomad Client Vulnerable to Decompression Bombs in Artifact Block
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a job submitted with a maliciously compressed source a.k.a “Zip Bomb” in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent. This vulnerability, CVE-2023-0821, was...
Nomad vulnerable to cross-namespace host volume claim deletion
Summary HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace...
Boundary Workers Vulnerable to Denial of Service During TLS Handshake
Summary Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client...
Consul's event endpoint is vulnerable to denial of service
Summary Consul and Consul Enterprise’s “Consul” event endpoint is vulnerable to denial of service DoS due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12...
Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates
Summary Vault and Vault Enterprise “Vault” TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate . In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonat...
Vault TOTP Secrets Engine Code Reuse
Summary Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. This vulnerability, identified as CVE-2025-6014, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
Timing Side-Channel in Vault’s Userpass Auth Method
Summary A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s userpass auth method. This vulnerability, identified as CVE-2025-6011, is...
Nomad Vulnerable To Cross-Namespace Volume Creation Abusing CSI Write Permission
Summary Nomad Community and Nomad Enterprise “Nomad” volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface CSI volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and...
Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
Summary Vault’s SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be...
Consul’s Connect Service Mesh Affected By Recent Envoy Security Releases
Summary Consul and Consul Enterprise “Consul” clusters using Consul Connect service mesh should be updated to adopt recent Envoy security releases. Consul’s 1.9 releases support only Envoy 1.16 and older, which are no longer supported and did not receive recent security fixes. Background Consul...
Nomad Malformed Job Parsing Results in Excessive CPU Usage
Summary Nomad and Nomad Enterprise “Nomad” allows anyone with access to Nomad’s API to submit HCL formatted jobs for parsing to return the equivalent JSON. This endpoint allowed malformed HCL configuration to be evaluated, resulting in excessive CPU usage on Nomad server agents. This vulnerabilit...
Nomad’s Exec and Java Task Drivers Did Not Isolate Processes
Summary Nomad and Nomad Enterprise “Nomad” exec and java task drivers may allow a malicious task to access information regarding processes associated with other tasks on the same node. This vulnerability, CVE-2021-3283, affects all prior Nomad versions and is fixed in the 0.12.10 and 1.0.3...
Vault Enterprise’s Sentinel EGP Policies May Impact Parent or Sibling Namespaces
Summary Vault Enterprise Sentinel EGP policies should be constrained to the namespace in which they’re applied, or to children namespaces. Incorrect parsing of the supplied path, when configuring EGP policies, allowed them to process requests in parent and sibling namespaces. This vulnerability,...
Nomad Docker driver vulnerable to host namespace bypass on Linux
Summary HashiCorp Nomad and Nomad Enterprise did not enforce the allowprivileged restriction for the Docker task driver’s host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other...
Memberlist vulnerable to denial of service via gossip message
Summary HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability CVE-2026-1436...
Consul-template vulnerable to sandbox path bypass in file helper through symlink attack
Summary The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability CVE-2026-5061 is fixed in consul-template 0.42.0. Background The file template function reads a local file...
Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations
Summary Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This...
Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization
Summary If a Vault auth mount is configured to pass through the “Authorization” header, and the “Authorization” header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. This issue, CVE-2026-4525, is fixed in Vault Community Edition 2.0.0 and Vault...
Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
Summary An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any...
Go-getter may allow to arbitrary filesystem reads through git operations
Summary HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and...
Consul Vulnerable to Arbitrary File Reads Through the Vault Kubernetes Authentication Provider
Summary HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5. Background The Consul kubernetes auth method typ...
Terraform Enterprise state versions can be created by users without sufficient write access
Summary Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or is auto-applied. This...
Consul's KV endpoint is vulnerable to denial of service
Summary Consul and Consul Enterprise’s “Consul” key/value endpoint is vulnerable to denial of service DoS due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12...
Incomplete Fix For Previous Vault DoS Issue
Summary A fix for a previous security issue impacting HashiCorp Vault HCSEC-2025-24 / CVE-2025-6203 was incomplete, and did not fully address the vulnerability. The fix was corrected in Vault versions 1.21.0, 1.20.5, 1.19.11, and 1.16.27. The CVE advisory and security bulletin have been updated t...
Vault LDAP MFA Enforcement Bypass When Using Username As Alias
Summary Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. This vulnerability, CVE-2025-6013, is fixed in Vault Community Edition 1.20.2 and...
Vault Root Namespace Operator May Elevate Token Privileges
Summary A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. This vulnerability, identified as CVE-2025-5999, is fixed in Vault Community Edition 1.20.0 and Vault Enterprise...
HCSEC-2025-11 Vault Vulnerable to Recovery Key Cancellation Denial of Service
Summary Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability CVE-2025-4656 has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11,...
Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs
Summary Nomad Community and Nomad Enterprise “Nomad” are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and...
Nomad Vulnerable To Event Stream Namespace ACL Policy Bypass Through Wildcard Namespace
Summary Nomad Community and Nomad Enterprise “Nomad” event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces. This vulnerability, identified as CVE-2025-0937, is fixed in Nomad Community Edition 1.9.6 and Nomad Enterprise 1.9.6, 1.8.10, and...
HashiCorp go-slug Vulnerable to Zip Slip Attack
Summary HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3. Background HashiCorp’s go-slug shared library offers functions for...
Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Token
Summary Nomad Community and Nomad Enterprise “Nomad” allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, an...
Consul L7 Intentions Vulnerable To Headers Bypass
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. This vulnerability, identified as CVE-2024-10006, is fixed in Consul Community Edition 1.20.1 and Consul Enterprise 1.20.1,...
Consul L7 Intentions Vulnerable To URL Path Bypass
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. This vulnerability, identified as CVE-2024-10005, is fixed in Consul Community Edition 1.20.1 and Consul Enterprise...
Vault Operators in Root Namespace May Elevate Their Privileges
Summary A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. This vulnerability, identified as CVE-2024-9180, is fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18....
Vault Enterprise Namespace Creation May Lead to Denial of Service
Summary An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. Background Namespaces are a Vault Enterprise feature th...
Nomad Search API Leaks Information About CSI Plugins
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability, CVE-2023-3300, affects Nomad since 0.11 and was fixed in 1.6.0...
Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured
Summary A vulnerability in Boundary was identified such that when a Key Management Service KMS was defined in Boundary’s configuration file with the intent of using the KMS to encrypt the credentials stored on disk, new credentials created after an automatic rotation may not have been encrypted v...
Nomad’s Workload Identity Token Can List Non-sensitive Metadata For nomad/ Paths
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.This vulnerability, CVE-2022-3866, was fixed in Nomad 1.4.2. Background Nomad’s...
Nomad Panics On Job Submission With Bad Artifact Stanza Source URL
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a job submitted with an invalid S3 or GCS URL in an artifact stanza can cause a panic, crashing a Nomad client agent. This vulnerability, CVE-2022-41606, was fixed in Nomad 1.2.13, 1.3.6, and 1.4.0. Background...