File Inclusion Vulnerability in HashiCorp Terraform Enterprise
CVE-2026-14468

7.7HIGH

Key Information:

Vendor

Hashicorp

Vendor
CVE Published:
6 July 2026

What is CVE-2026-14468?

HashiCorp Terraform Enterprise experiences a significant file inclusion vulnerability due to improper enforcement of boundaries during the ingestion of registry modules. This flaw allows authenticated users to access and potentially download sensitive files that reside outside the authorized repository. The issue could lead to exposure of confidential data during the module processing. Mitigations are available in the latest updates, specifically in Terraform Enterprise versions 2.0.4 and 1.2.4.

Affected Version(s)

Terraform Enterprise 64 bit 1.0.0 < 2.0.4

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was identified by the Terraform Enterprise engineering team.
.