File Inclusion Vulnerability in HashiCorp Terraform Enterprise
CVE-2026-14468
7.7HIGH
What is CVE-2026-14468?
HashiCorp Terraform Enterprise experiences a significant file inclusion vulnerability due to improper enforcement of boundaries during the ingestion of registry modules. This flaw allows authenticated users to access and potentially download sensitive files that reside outside the authorized repository. The issue could lead to exposure of confidential data during the module processing. Mitigations are available in the latest updates, specifically in Terraform Enterprise versions 2.0.4 and 1.2.4.
Affected Version(s)
Terraform Enterprise 64 bit 1.0.0 < 2.0.4
References
CVSS V3.1
Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was identified by the Terraform Enterprise engineering team.