Home

Description

HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

PUBLISHED Reserved 2026-07-01 | Published 2026-07-08 | Updated 2026-07-08 | Assigner HashiCorp




HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-862: Missing Authorization

Product status

Default status
unaffected

0.4.1 (semver) before 2.0.4
affected

Default status
unaffected

0.4.1 (semver) before 2.0.4
affected

Credits

This issue was reported to HashiCorp by Deniz Onur Duzgun (@dduzgun-security).

References

discuss.hashicorp.com/...ost-namespace-bypass-on-linux/77557

cve.org (CVE-2026-14373)

nvd.nist.gov (CVE-2026-14373)

Download JSON