Description
Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
Published: 2026-05-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Boundary workers are vulnerable to a denial‑of‑service condition that occurs during the TLS handshake when a client certificate is delayed or withheld. The flaw is a resource exhaustion vulnerability (CWE‑770) that can block the worker’s connection handling, preventing any legitimate worker connections from being accepted or routed.

Affected Systems

The affected products are HashiCorp Boundary Community Edition and HashiCorp Boundary Enterprise. Versions up to Boundary 0.21.2 (Community) and up to Boundary 0.20.2 (Enterprise) contain the issue; the vulnerability is addressed in Boundary 0.21.3, 0.20.3 and 0.19.5.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity, and the EPSS score is not available, making the exploitation probability unclear. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a network connection to the worker authentication listener. An attacker who can reach that listener may open a TLS session and intentionally delay or withhold the client certificate, causing the worker to block on the handshake and effectively suspend legitimate connections.

Generated by OpenCVE AI on May 4, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Boundary to the latest patch—Boundary 0.21.3 or later for Community, 0.20.3 or later for Enterprise
  • Restrict network access to the worker authentication listener by configuring firewall rules or network segmentation, limiting exposure to trusted hosts only
  • Monitor TLS handshake logs for delays or failures and alert administrators to suspected exploitation attempts

Generated by OpenCVE AI on May 4, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7x9r-wcgg-w86f Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes
History

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp boundary
Hashicorp boundary Enterprise
Vendors & Products Hashicorp
Hashicorp boundary
Hashicorp boundary Enterprise

Tue, 05 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
Title Boundary Workers Vulnerable to Denial of Service During TLS Handshake
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Hashicorp Boundary Boundary Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-05-05T14:14:05.799Z

Reserved: 2026-05-04T15:10:16.232Z

Link: CVE-2026-7776

cve-icon Vulnrichment

Updated: 2026-05-05T13:21:01.342Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T22:16:20.330

Modified: 2026-05-05T20:24:04.853

Link: CVE-2026-7776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:31Z

Weaknesses