Skip to main content

HashiCorp Boundary EUVDEUVD-2026-27145

| CVE-2026-7776 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-04 HashiCorp GHSA-7x9r-wcgg-w86f
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 04, 2026 - 23:02 EUVD
Analysis Generated
May 04, 2026 - 22:16 vuln.today

DescriptionCVE.org

Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.

AnalysisAI

Network-accessible denial-of-service in HashiCorp Boundary workers allows unauthenticated remote attackers to block legitimate worker connections by manipulating TLS handshake timing during node enrollment. Attackers can connect to the worker authentication listener and intentionally delay or withhold client certificates, causing connection handlers to block and preventing legitimate workers from enrolling or routing traffic. Both Community Edition and Enterprise versions prior to 0.21.3, 0.20.3, and 0.19.5 are vulnerable. EPSS data not provided; no CISA KEV listing indicating limited observed exploitation. Vendor-confirmed vulnerability with patches released across three active release branches.

Technical ContextAI

HashiCorp Boundary is an identity-based access management system for dynamic infrastructure. The vulnerability affects the worker node enrollment process, which uses mutual TLS authentication between workers and controllers. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates the underlying issue: the worker authentication listener lacks proper timeout enforcement or resource limits during TLS handshakes. When a client initiates a TLS connection but delays presenting the required client certificate, the connection handler blocks waiting for the handshake to complete. Without proper timeouts or connection limits, multiple such malicious connections can exhaust the worker's connection handling capacity, creating a resource exhaustion condition. This affects both cpe:2.3:a:hashicorp:boundary (Community Edition) and cpe:2.3:a:hashicorp:boundary_enterprise across multiple version branches, indicating a fundamental design issue in the enrollment authentication pathway shared between editions.

RemediationAI

Upgrade to patched versions: Boundary 0.21.3 for 0.21.x deployments, 0.20.3 for 0.20.x deployments, or 0.19.5 for 0.19.x deployments. Refer to HashiCorp security bulletin HCSEC-2026-11 at https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake for upgrade procedures and release notes. If immediate patching is not feasible, implement network-layer compensating controls: restrict worker authentication listener access using firewall rules or security groups to allow connections only from known controller IP addresses, eliminating exposure to untrusted networks. Deploy connection rate limiting at the network edge (load balancer or firewall level) to cap concurrent connections to worker listeners from any single source IP, reducing attack effectiveness. Monitor worker connection metrics and alert on anomalous connection patterns such as sustained incomplete TLS handshakes or connection exhaustion. Note that network restrictions are the most effective mitigation since they address the root attack vector (unauthenticated network access), while connection rate limiting only reduces attack impact. Neither workaround fully eliminates the vulnerability-patching remains the definitive solution.

Share

EUVD-2026-27145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy