Skip to main content
Regulatory Triage ICT Providers

HashiCorp

Dev Platforms & CI/CD

Period: 7d 14d 30d 90d
9
Open CVEs
0
Exploited
0
KEV
8
Unpatched
5
No Workaround
8
Internet-facing

Why this provider is risky now

This provider has 9 open CVE(s) in the last 14 days. 8 have no vendor patch. 8 affect internet-facing services. 4 impact the management/identity plane.

8 Unpatched 4 Mgmt / Admin Plane 5 No Workaround 8 Internet-facing

Top Risky CVEs

CVE-2026-9152
Monitor
Unpatched
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of i
Edge exposure ICT dependency No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: HashiCorp
  • No patch available
  • Management plane (Missing Authentication for Critical Function)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: HashiCorp (Dev Platforms & CI/CD)
  • No remediation available
  • Authentication / access control weakness
10.0
CVSS
0.1%
EPSS
50
Priority
CVE-2026-46412
Act Now
Unpatched
Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment.
Within 24 hours: Identify all systems (developers, CI/CD pipelines, build servers) that installed affected versions via package-lock.json, yarn.lock, or CI logs; immediately rotate all AWS access keys, GitHub personal access tokens, npm publish tokens, and HashiCorp Vault credentials; quarantine affected systems for forensic analysis. Within 7 days: Upgrade all projects to @beproduct/nestjs-auth version 0.1.20 or remove dependency entirely; run npm audit across entire dependency tree; audit AWS CloudTrail, GitHub audit logs, and Vault access logs for post-2026-05-11 unauthorized activity. Within 30 days: Implement Software Composition Analysis (SCA) tooling for continuous package monitoring; mandate pre-install signature verification for npm packages; complete forensic investigation and incident report; evaluate replacing @beproduct/nestjs-auth with alternative packages.
ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: HashiCorp
  • No patch available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: HashiCorp (Dev Platforms & CI/CD)
  • No remediation available
10.0
CVSS
50
Priority
CVE-2026-47358
Act Now
Unpatched
Server-Side Request Forgery in Tenable Terrascan v1.18.3 and prior allows unauthenticated remote attackers to coerce the server into fetching arbitrary URLs, including file:// URIs that enable local file disclosure. The flaw is triggered when Terrascan runs in server mode and parses uploaded ARM or CloudFormation templates whose templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL fields point to attacker-controlled destinations. No public exploit identified at time of analysis, and because Terrascan was archived in August 2023, no patch will ever be released.
24 hours: Identify all Terrascan deployments (v1.18.3 and earlier) running in server mode and assess network exposure. 7 days: Implement network access controls restricting inbound connections to Terrascan servers; disable server mode if operationally feasible; validate all uploaded template URIs to reject file:// schemes. 30 days: Migrate to an actively maintained infrastructure-as-code scanning solution (alternatives include Tenable Nessus, Qualys, or community-maintained forks); plan decommissioning of Terrascan.
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Third-party ICT: HashiCorp
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: HashiCorp (Dev Platforms & CI/CD)
  • No remediation available
9.2
CVSS
0.0%
EPSS
46
Priority
CVE-2026-47357
Act Now
Unpatched
Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.
Within 24 hours: Inventory all systems running Terrascan versions 1.18.3 and prior, prioritizing those with network exposure. Within 7 days: Disable Terrascan server mode on all affected systems and implement network isolation for any remaining instances. Within 30 days: Decommission Terrascan entirely and migrate to actively maintained Infrastructure-as-Code scanning tools such as Checkov, TFLint, or Snyk.
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Third-party ICT: HashiCorp
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: HashiCorp (Dev Platforms & CI/CD)
  • No remediation available
9.2
CVSS
0.0%
EPSS
46
Priority
CVE-2026-46354
Act Now
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
Within 24 hours: Identify all Coder v2 instances and assess integration with Git systems (GitHub/GitLab/Bitbucket) and OAuth providers; isolate critical instances if necessary. Within 7 days: Apply vendor-released patch to all Coder v2 instances. Within 30 days: Audit workspace agent token usage logs for anomalies and proactively rotate all Git SSH keys and OAuth tokens.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • Third-party ICT: GitLab, HashiCorp
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: GitLab (Dev Platforms & CI/CD)
  • ICT provider: HashiCorp (Dev Platforms & CI/CD)
9.1
CVSS
46
Priority
CVE-2026-8903
This Month
Unpatched
Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and including 2.1 enables unauthenticated remote attackers to manipulate the plugin's firewall rules and 2FA configuration - potentially disabling protection entirely - by inducing an authenticated site administrator to click a crafted link. The vulnerable surface is the `ipv_save_changes` function in `admin-settings.php`, which lacks proper nonce validation. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) reflects very low automated exploitation probability, though the downstream security impact of silently disabling 2FA or firewall rules is disproportionate to the raw CVSS score of 4.3.
Edge exposure ICT dependency
Why flagged?
4.3
CVSS
0.0%
EPSS
22
Priority
CVE-2026-9223
Monitor
Unpatched
Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Edge exposure ICT dependency Management plane
Why flagged?
4.3
CVSS
0.0%
EPSS
CVE-2026-9246
This Week
Unpatched
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of se
Edge exposure ICT dependency Management plane
Why flagged?
4.3
CVSS
0.0%
EPSS
CVE-2026-9248
Monitor
Unpatched
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault t
Edge exposure ICT dependency Management plane
Why flagged?
2.6
CVSS
0.0%
EPSS

By Exposure

Internet-facing
8
Mgmt / Admin Plane
4
Identity / Auth
3
Internal only
1

By Exploitability

Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
6
Local only
0

By Remediation

Patch available
1
No patch
8
Workaround available
3
No workaround
5

Affected Services / Product Families

Hashicorp
9 CVE(s)
CVE-2026-47357 CRITICAL Unpatched
CVE-2026-47358 CRITICAL Unpatched
CVE-2026-46354 CRITICAL Patched
CVE-2026-46412 CRITICAL Unpatched
CVE-2026-9152 CRITICAL Unpatched
CVE-2026-9223 Unpatched
CVE-2026-9246 Unpatched
CVE-2026-9248 Unpatched
CVE-2026-8903 MEDIUM Unpatched

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy