Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network-reachable with low complexity but needs an authenticated module-publisher (PR:L); scope change reflects reading files outside the module boundary; confidentiality-only impact so I/A:N.
Primary rating from Vendor (HashiCorp).
CVSS VectorVendor: HashiCorp
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Articles & Coverage 2
AnalysisAI
Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Terraform Enterprise account with permission to publish or trigger VCS-based ingestion of a registry module (CVSS PR:L confirms authentication is required). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N is internally consistent with the description: network-reachable, low complexity, requires low-privilege authentication (a user able to publish/ingest a module), no user interaction, and a scope change reflecting that the leaked files live outside the module's authorization boundary, with high confidentiality but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a low-privilege but authenticated Terraform Enterprise account with rights to publish a registry module crafts a repository containing traversal references (e.g. symlinks or relative paths) pointing at sensitive host files. … |
| Remediation | Vendor-released patch: upgrade Terraform Enterprise to v2.0.4 (v2.x line) or v1.2.4 (v1.2.x line), per HashiCorp advisory HCSEC-2026-17 (https://discuss.hashicorp.com/t/hcsec-2026-17-terraform-enterprise-vulnerable-to-arbitrary-file-read/77549). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Terraform Enterprise instances with VCS-integrated registry module ingestion enabled; identify service account credentials with filesystem access; review recent module ingestion logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Terraform Enterprise
View allHashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to a
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the worksp
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP reques
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users withi
HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41946
GHSA-29x3-448h-cjxw