Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Local access and high complexity required for symlink race; I:L added because description explicitly states existing files can be overwritten, which the vendor's I:N underweights.
Primary rating from Vendor (hashicorp).
CVSS VectorVendor: hashicorp
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.
AnalysisAI
Path redirection via the writeToFile template helper in consul-template before 0.42.1 allows a local low-privileged attacker to redirect template output outside the intended destination directory or overwrite existing files on the filesystem. Because consul-template routinely renders sensitive secrets from HashiCorp Vault, Consul, and AWS Secrets Manager into local files, successful exploitation can expose those secrets by redirecting writes to attacker-readable locations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local OS access with at least low-level privileges (PR:L per CVSS vector) on the system running consul-template. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base score of 4.7 (Medium) reflects a realistic, constrained threat profile: local access is required (AV:L), the attack complexity is high (AC:H - likely a race condition or requires pre-placing a symlink before the write occurs), and low OS-level privileges are needed (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with standard OS privileges pre-places a symlink at the path consul-template is expected to write to via the writeToFile helper, pointing to a sensitive file or an attacker-readable location outside the intended output directory. When consul-template renders the template and calls writeToFile, it follows the symlink and writes secret material (e.g., a Vault token or database credential) to the redirected location, where the attacker can read it. … |
| Remediation | Upgrade consul-template to version 0.42.1 or later, which contains the vendor-released fix for this vulnerability per HashiCorp advisory HCSEC-2026-20 (https://discuss.hashicorp.com/t/hcsec-2026-20-consul-template-vulnerable-to-path-redirections-in-writetofile/77559). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42346
GHSA-xcm7-pmg9-8wjq