CVE-2026-8052 | THREATINT

Description

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-12 | Updated 2026-05-12 | Assigner HashiCorp

MEDIUM: 6.0CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Problem types

CWE-59: Improper Link Resolution Before File Access (Link Following)

Product status

Default status

unaffected

0.1.0 (semver) before 0.1.2

affected

Credits

This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter).

References

discuss.hashicorp.com/...t-host-through-symlink-attack/77415

cve.org (CVE-2026-8052)

nvd.nist.gov (CVE-2026-8052)

Download JSON