Skip to main content

Terraform Enterprise CVE-2026-14468

| EUVDEUVD-2026-41946 HIGH
Path Traversal (CWE-22)
2026-07-06 HashiCorp GHSA-29x3-448h-cjxw
7.7
CVSS 3.1 · Vendor: HashiCorp
Share

Severity by source

Vendor (HashiCorp) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable with low complexity but needs an authenticated module-publisher (PR:L); scope change reflects reading files outside the module boundary; confidentiality-only impact so I/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (HashiCorp).

CVSS VectorVendor: HashiCorp

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 22:02 EUVD
Analysis Generated
Jul 06, 2026 - 21:55 vuln.today

DescriptionCVE.org

HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.

AnalysisAI

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with module-publish rights
Delivery
Craft repo with path-traversal/symlink references
Exploit
Ingest module via VCS registry
Execution
Packaging bundles out-of-repo files
Persist
Download module archive
Impact
Exfiltrate sensitive host files

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Terraform Enterprise account with permission to publish or trigger VCS-based ingestion of a registry module (CVSS PR:L confirms authentication is required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N is internally consistent with the description: network-reachable, low complexity, requires low-privilege authentication (a user able to publish/ingest a module), no user interaction, and a scope change reflecting that the leaked files live outside the module's authorization boundary, with high confidentiality but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privilege but authenticated Terraform Enterprise account with rights to publish a registry module crafts a repository containing traversal references (e.g. symlinks or relative paths) pointing at sensitive host files. …
Remediation Vendor-released patch: upgrade Terraform Enterprise to v2.0.4 (v2.x line) or v1.2.4 (v1.2.x line), per HashiCorp advisory HCSEC-2026-17 (https://discuss.hashicorp.com/t/hcsec-2026-17-terraform-enterprise-vulnerable-to-arbitrary-file-read/77549). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Terraform Enterprise instances with VCS-integrated registry module ingestion enabled; identify service account credentials with filesystem access; review recent module ingestion logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy