Description
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Published: 2026-05-12
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HashiCorp Nomad and its Enterprise edition allow an attacker who can submit a job specification to create a symbolic link that points to an arbitrary file on the client host. As the Nomad service runs as the Nomad process user, the attacker can read from or overwrite files with the same privileges as that user, consuming confidentiality and integrity material on the client system. This flaw is classified as CWE‑59, a path traversal or symlink-based vulnerability that compromises the isolation boundaries between the job environment and the underlying host.

Affected Systems

HashiCorp Nomad and HashiCorp Nomad Enterprise are affected in all releases prior to 2.0.1, 1.11.5 and 1.10.11, respectively.

Risk and Exploitability

The CVSS score of 6 marks the issue as medium severity. No EPSS data has been published, and the vulnerability is not listed in the CISA KEV catalog, indicating that there is no confirmed exploit in the wild at this time. Attackers would need the ability to submit job files to a Nomad client, which typically requires local or authenticated remote access. Once a job that contains a crafted symbolic link is accepted, the Nomad agent will follow the link and perform the requested read or write while executing under its own service UID.

Generated by OpenCVE AI on May 12, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nomad clients and server to version 2.0.1, 1.11.5, or 1.10.11 or later.
  • Restrict job submission privileges to trusted users; apply role‑based access control so that only authorized personnel can define task artifacts.
  • If an immediate upgrade is not possible, disable the creation or following of symbolic links in the Nomad client working directory through OS‑level security controls (e.g., SELinux/AppArmor policies or filesystem permissions).

Generated by OpenCVE AI on May 12, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Title Nomad vulnerable to arbitrary file read/write on client host through symlink attack
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-05-12T20:16:15.200Z

Reserved: 2026-04-24T14:29:55.377Z

Link: CVE-2026-6959

cve-icon Vulnrichment

Updated: 2026-05-12T20:15:22.179Z

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:46.267

Modified: 2026-05-12T20:16:46.267

Link: CVE-2026-6959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses