Description
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal vulnerability in HashiCorp Nomad and Nomad Enterprise allows an attacker to overwrite or read arbitrary files on the client host. The flaw, identified as CWE‑22, can lead to arbitrary code execution, granting full control over the affected system. The vulnerability is classified with a CVSS score of 8.8, indicating a high severity impact on confidentiality, integrity, and availability.

Affected Systems

All versions of HashiCorp Nomad and Nomad Enterprise released prior to 2.0.1, 1.11.5, and 1.10.11 are affected. The defect exists in the handling of dynamic host volumes and is fixed in the mentioned releases.

Risk and Exploitability

Because the vulnerability relies on path traversal within dynamic host volumes, an attacker who can influence volume configuration or file creation may execute arbitrary commands on the client host. The EPSS score is not available, so the current exploitation probability is unclear; however, the high CVSS score and public disclosure warrant immediate attention. The vulnerability is not listed in CISA’s KEV catalog, but its severity and potential for remote code execution make it a high‑priority risk.

Generated by OpenCVE AI on May 12, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Nomad 2.0.1, 1.11.5, or 1.10.11 to apply the vendor fix
  • Restrict who can create or manipulate dynamic host volumes and ensure only trusted, privileged accounts can perform these actions
  • Implement file‑path validation on client hosts to guard against traversal attempts (CWE‑22 mitigation)

Generated by OpenCVE AI on May 12, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx53-77qj-8663 HashiCorp Nomad vulnerable to a path traversal
History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp nomad
Hashicorp nomad Enterprise
Vendors & Products Hashicorp
Hashicorp nomad
Hashicorp nomad Enterprise

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Title Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hashicorp Nomad Nomad Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-05-13T03:58:40.530Z

Reserved: 2026-04-29T21:07:13.054Z

Link: CVE-2026-7474

cve-icon Vulnrichment

Updated: 2026-05-12T20:23:50.764Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T20:16:46.380

Modified: 2026-05-13T15:53:17.173

Link: CVE-2026-7474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:34Z

Weaknesses