Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
AnalysisAI
Network-accessible denial-of-service in HashiCorp Boundary workers allows unauthenticated remote attackers to block legitimate worker connections by manipulating TLS handshake timing during node enrollment. Attackers can connect to the worker authentication listener and intentionally delay or withhold client certificates, causing connection handlers to block and preventing legitimate workers from enrolling or routing traffic. Both Community Edition and Enterprise versions prior to 0.21.3, 0.20.3, and 0.19.5 are vulnerable. EPSS data not provided; no CISA KEV listing indicating limited observed exploitation. Vendor-confirmed vulnerability with patches released across three active release branches.
Technical ContextAI
HashiCorp Boundary is an identity-based access management system for dynamic infrastructure. The vulnerability affects the worker node enrollment process, which uses mutual TLS authentication between workers and controllers. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates the underlying issue: the worker authentication listener lacks proper timeout enforcement or resource limits during TLS handshakes. When a client initiates a TLS connection but delays presenting the required client certificate, the connection handler blocks waiting for the handshake to complete. Without proper timeouts or connection limits, multiple such malicious connections can exhaust the worker's connection handling capacity, creating a resource exhaustion condition. This affects both cpe:2.3:a:hashicorp:boundary (Community Edition) and cpe:2.3:a:hashicorp:boundary_enterprise across multiple version branches, indicating a fundamental design issue in the enrollment authentication pathway shared between editions.
RemediationAI
Upgrade to patched versions: Boundary 0.21.3 for 0.21.x deployments, 0.20.3 for 0.20.x deployments, or 0.19.5 for 0.19.x deployments. Refer to HashiCorp security bulletin HCSEC-2026-11 at https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake for upgrade procedures and release notes. If immediate patching is not feasible, implement network-layer compensating controls: restrict worker authentication listener access using firewall rules or security groups to allow connections only from known controller IP addresses, eliminating exposure to untrusted networks. Deploy connection rate limiting at the network edge (load balancer or firewall level) to cap concurrent connections to worker listeners from any single source IP, reducing attack effectiveness. Monitor worker connection metrics and alert on anomalous connection patterns such as sustained incomplete TLS handshakes or connection exhaustion. Note that network restrictions are the most effective mitigation since they address the root attack vector (unauthenticated network access), while connection rate limiting only reduces attack impact. Neither workaround fully eliminates the vulnerability-patching remains the definitive solution.
HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated w
Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. Rate
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direct
Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initializati
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27145
GHSA-7x9r-wcgg-w86f