Description
Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
Published: 2026-05-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Boundary workers are vulnerable to a denial‑of‑service condition that occurs during the TLS handshake when a client certificate is delayed or withheld. The flaw is a resource exhaustion vulnerability (CWE‑770) that can block the worker’s connection handling, preventing any legitimate worker connections from being accepted or routed.

Affected Systems

The affected products are HashiCorp Boundary Community Edition and HashiCorp Boundary Enterprise. Versions up to Boundary 0.21.2 (Community) and up to Boundary 0.20.2 (Enterprise) contain the issue; the vulnerability is addressed in Boundary 0.21.3, 0.20.3 and 0.19.5.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity, and the EPSS score is not available, making the exploitation probability unclear. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a network connection to the worker authentication listener. An attacker who can reach that listener may open a TLS session and intentionally delay or withhold the client certificate, causing the worker to block on the handshake and effectively suspend legitimate connections.

Generated by OpenCVE AI on May 4, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Boundary to the latest patch—Boundary 0.21.3 or later for Community, 0.20.3 or later for Enterprise
  • Restrict network access to the worker authentication listener by configuring firewall rules or network segmentation, limiting exposure to trusted hosts only
  • Monitor TLS handshake logs for delays or failures and alert administrators to suspected exploitation attempts

Generated by OpenCVE AI on May 4, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.
Title Boundary Workers Vulnerable to Denial of Service During TLS Handshake
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-05-04T21:36:18.758Z

Reserved: 2026-05-04T15:10:16.232Z

Link: CVE-2026-7776

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T22:16:20.330

Modified: 2026-05-04T22:16:20.330

Link: CVE-2026-7776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T23:30:11Z

Weaknesses