Skip to main content

consul-template CVE-2026-14361

| EUVDEUVD-2026-42346 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-07-08 security@hashicorp.com GHSA-xcm7-pmg9-8wjq
4.7
CVSS 3.1 · Vendor: hashicorp
Share

Severity by source

Vendor (hashicorp) PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Local access and high complexity required for symlink race; I:L added because description explicitly states existing files can be overwritten, which the vendor's I:N underweights.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hashicorp).

CVSS VectorVendor: hashicorp

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 21:04 EUVD
Analysis Generated
Jul 08, 2026 - 20:58 vuln.today

DescriptionCVE.org

The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.

AnalysisAI

Path redirection via the writeToFile template helper in consul-template before 0.42.1 allows a local low-privileged attacker to redirect template output outside the intended destination directory or overwrite existing files on the filesystem. Because consul-template routinely renders sensitive secrets from HashiCorp Vault, Consul, and AWS Secrets Manager into local files, successful exploitation can expose those secrets by redirecting writes to attacker-readable locations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local OS access (PR:L)
Delivery
Identify writeToFile destination path in active template
Exploit
Place symlink at destination path pointing outside intended directory
Execution
Wait for consul-template to render template and invoke writeToFile
Persist
Secrets written to attacker-controlled or attacker-readable path
Impact
Read exfiltrated secret material

Vulnerability AssessmentAI

Exploitation Exploitation requires local OS access with at least low-level privileges (PR:L per CVSS vector) on the system running consul-template. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 4.7 (Medium) reflects a realistic, constrained threat profile: local access is required (AV:L), the attack complexity is high (AC:H - likely a race condition or requires pre-placing a symlink before the write occurs), and low OS-level privileges are needed (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard OS privileges pre-places a symlink at the path consul-template is expected to write to via the writeToFile helper, pointing to a sensitive file or an attacker-readable location outside the intended output directory. When consul-template renders the template and calls writeToFile, it follows the symlink and writes secret material (e.g., a Vault token or database credential) to the redirected location, where the attacker can read it. …
Remediation Upgrade consul-template to version 0.42.1 or later, which contains the vendor-released fix for this vulnerability per HashiCorp advisory HCSEC-2026-20 (https://discuss.hashicorp.com/t/hcsec-2026-20-consul-template-vulnerable-to-path-redirections-in-writetofile/77559). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy