Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-accessible API (AV:N), operator credentials required (PR:L), and specific multi-namespace dynamic host volume configuration prerequisite (AC:H); impact limited to integrity and availability of volume claims only.
Primary rating from Vendor (hashicorp).
CVSS VectorVendor: hashicorp
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
AnalysisAI
Cross-namespace authorization bypass in HashiCorp Nomad's dynamic host volumes feature permits an authenticated operator holding host volume delete permissions in one namespace to delete sticky volume claims belonging to jobs in a different namespace. Both Nomad Community Edition and Nomad Enterprise are affected from version 0.4.1 up to 2.0.4, with Enterprise additionally receiving backport fixes in 1.11.8 and 1.10.14. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Nomad operator account with the host volume delete ACL permission assigned in at least one namespace (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.2 Medium, with vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L, accurately reflects a constrained but real authorization failure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Nomad operator in namespace 'team-a' with the host volume delete ACL capability submits a crafted delete request targeting a sticky volume claim associated with a job running in namespace 'team-b'. Because the namespace boundary check is absent, Nomad processes the deletion without validating cross-namespace authorization, and the target claim is removed. … |
| Remediation | Upgrade to Nomad Community Edition 2.0.4 or Nomad Enterprise 2.0.4 to receive the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault
PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev
Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42392
GHSA-x2cv-wq6v-3cc9