Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
AnalysisAI
Sandbox path bypass in consul-template before 0.42.0 allows local authenticated users to read files outside the intended sandbox via symlink attack in the file template helper. The vulnerability requires local access and elevated privileges but grants high confidentiality impact. Vendor-released patch available in version 0.42.0.
Technical ContextAI
consul-template is a HashiCorp tool that manages template rendering using data from Consul. The file template helper function implements a sandbox mechanism intended to restrict file access to a designated directory. The vulnerability exploits improper handling of symlinks (CWE-59: Improper Link Resolution Before File Access, a.k.a. 'link following' or 'symlink race') in the file helper, allowing an authenticated local user to bypass sandbox restrictions by crafting symlink paths that traverse outside the sandbox boundary. The CPE identifies the HashiCorp tooling product suite, and the specific vulnerability affects the templating library's file access control logic.
RemediationAI
Upgrade consul-template to version 0.42.0 or later immediately. This is the vendor-released patch that resolves the symlink-based sandbox bypass. Organizations unable to upgrade immediately should restrict local user access to systems running consul-template and disable file template helper functionality if not required for operations. Additionally, enforce strict filesystem permissions to prevent untrusted users from creating symlinks in directories where templates are rendered or where template input files are stored. Monitor template execution logs for suspicious file access patterns or symlink traversal attempts. Note that restricting the file helper may impact template functionality, so coordinate with application teams before implementing this control.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29483
GHSA-m633-g3vp-7qw3