Home

Description

HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

PUBLISHED Reserved 2026-07-06 | Published 2026-07-08 | Updated 2026-07-08 | Assigner HashiCorp




HIGH: 8.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Problem types

CWE-59: Improper Link Resolution Before File Access (Link Following)

Product status

Default status
unaffected

0.4.1 (semver) before 2.0.4
affected

Default status
unaffected

0.4.1 (semver) before 2.0.4
affected

Credits

This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan.

References

discuss.hashicorp.com/...-escape-in-docker-task-driver/77561

cve.org (CVE-2026-14891)

nvd.nist.gov (CVE-2026-14891)

Download JSON