Skip to main content

Terraform Enterprise

6 CVEs product

Monthly

CVE-2026-14468 HIGH PATCH This Week

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. Reported by HashiCorp with no public exploit identified at time of analysis; the CVSS 7.7 (scope-changed) score reflects high confidentiality impact against a self-hosted enterprise platform.

Hashicorp Path Traversal Terraform Enterprise
NVD VulDB
CVSS 3.1
7.7
EPSS
0.3%
CVE-2023-3114 HIGH This Week

Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Terraform Enterprise
NVD
CVSS 3.1
7.7
EPSS
0.4%
CVE-2022-25374 HIGH This Week

HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Terraform Enterprise
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-40862 HIGH This Week

HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Information Disclosure Terraform Enterprise
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-3153 MEDIUM This Month

HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Terraform Enterprise
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2020-15511 MEDIUM This Month

HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Terraform Enterprise
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in HashiCorp Terraform Enterprise allows an authenticated user to escape the intended repository boundary during VCS-based registry module ingestion, pulling files from outside the source repository into a packaged module and downloading them. Because the ingestion process runs with its own filesystem privileges, an attacker can exfiltrate sensitive files (secrets, configuration, tokens) readable by that process. Reported by HashiCorp with no public exploit identified at time of analysis; the CVSS 7.7 (scope-changed) score reflects high confidentiality impact against a self-hosted enterprise platform.

Hashicorp Path Traversal Terraform Enterprise
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Terraform Enterprise
NVD
EPSS 1% CVSS 7.5
HIGH This Week

HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Terraform Enterprise
NVD
EPSS 1% CVSS 8.8
HIGH This Week

HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Information Disclosure +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Terraform Enterprise
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Terraform Enterprise
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy