Description
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Published: 2026-05-12
Score: 8.8 High
EPSS: 6.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HashiCorp Nomad and Nomad Enterprise contain a path traversal flaw in the handling of dynamic host volumes. The vulnerability can potentially allow an attacker to reference files outside the intended directory, and the CVE notes that this may lead to code execution on the client host. The description does not explicitly state that arbitrary file overwrite or read is possible; based on the stated impact it is inferred that accessing or modifying files could be part of the exploitation chain. Classified as CWE‑22, the flaw has a CVSS score of 8.8, indicating high severity impact on confidentiality, integrity and availability.

Affected Systems

All versions of HashiCorp Nomad and Nomad Enterprise released prior to 2.0.1, 1.11.5, and 1.10.11 are affected. The defect exists in the handling of dynamic host volumes and is fixed in the mentioned releases.

Risk and Exploitability

Because the vulnerability relies on path traversal within dynamic host volumes, an attacker who can influence volume configuration or file creation may execute arbitrary commands on the client host. The EPSS score of 7% indicates a moderate probability of exploitation; however, the high CVSS score and public disclosure warrant immediate attention. The vulnerability is not listed in CISA’s KEV catalog, but its severity and potential for remote code execution make it a high‑priority risk.

Generated by OpenCVE AI on June 24, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Nomad 2.0.1, 1.11.5, or 1.10.11 to apply the vendor fix
  • Restrict who can create or manipulate dynamic host volumes and ensure only trusted, privileged accounts can perform these actions
  • Implement file‑path validation on client hosts to guard against traversal attempts (CWE‑22 mitigation)

Generated by OpenCVE AI on June 24, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx53-77qj-8663 HashiCorp Nomad vulnerable to a path traversal
History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp nomad
Hashicorp nomad Enterprise
Vendors & Products Hashicorp
Hashicorp nomad
Hashicorp nomad Enterprise

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Title Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Hashicorp Nomad Nomad Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-05-13T03:58:40.530Z

Reserved: 2026-04-29T21:07:13.054Z

Link: CVE-2026-7474

cve-icon Vulnrichment

Updated: 2026-05-12T20:23:50.764Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T20:16:46.380

Modified: 2026-06-17T11:02:29.613

Link: CVE-2026-7474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')