Skip to main content

HashiCorp Nomad CVE-2026-14896

| EUVDEUVD-2026-42392 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-08 security@hashicorp.com GHSA-x2cv-wq6v-3cc9
4.2
CVSS 3.1 · Vendor: hashicorp
Share

Severity by source

Vendor (hashicorp) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
4.2 MEDIUM

Network-accessible API (AV:N), operator credentials required (PR:L), and specific multi-namespace dynamic host volume configuration prerequisite (AC:H); impact limited to integrity and availability of volume claims only.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (hashicorp).

CVSS VectorVendor: hashicorp

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 22:08 vuln.today
Patch available
Jul 08, 2026 - 22:04 EUVD

DescriptionCVE.org

HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

AnalysisAI

Cross-namespace authorization bypass in HashiCorp Nomad's dynamic host volumes feature permits an authenticated operator holding host volume delete permissions in one namespace to delete sticky volume claims belonging to jobs in a different namespace. Both Nomad Community Edition and Nomad Enterprise are affected from version 0.4.1 up to 2.0.4, with Enterprise additionally receiving backport fixes in 1.11.8 and 1.10.14. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Nomad API with low-privilege operator credentials
Delivery
Confirm target cluster uses multi-namespace dynamic host volumes
Exploit
Identify sticky volume claim in a foreign namespace
Execution
Submit host volume delete request referencing cross-namespace claim
Persist
Nomad skips namespace boundary enforcement
Impact
Volume claim deleted, target job loses persistent storage

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Nomad operator account with the host volume delete ACL permission assigned in at least one namespace (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.2 Medium, with vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L, accurately reflects a constrained but real authorization failure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Nomad operator in namespace 'team-a' with the host volume delete ACL capability submits a crafted delete request targeting a sticky volume claim associated with a job running in namespace 'team-b'. Because the namespace boundary check is absent, Nomad processes the deletion without validating cross-namespace authorization, and the target claim is removed. …
Remediation Upgrade to Nomad Community Edition 2.0.4 or Nomad Enterprise 2.0.4 to receive the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Share

CVE-2026-14896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy