Sandbox Escape Vulnerability in HashiCorp Nomad Docker Task Driver
CVE-2026-14891

8.7HIGH

Key Information:

Vendor

Hashicorp

Vendor
CVE Published:
8 July 2026

What is CVE-2026-14891?

A sandbox escape vulnerability exists in HashiCorp Nomad's Docker task driver which allows unauthorized users to bind-mount host paths into containers. This issue can compromise data integrity by allowing job submitters to access and manipulate files on the host system, even when volume bind mounts are configured to be disabled. It is essential for users of Nomad to update to the fixed versions to mitigate potential security risks.

Affected Version(s)

Nomad 64 bit 0.4.1 < 2.0.4

Nomad Enterprise 64 bit 0.4.1 < 2.0.4

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was reported to HashiCorp by Volkan Kutal, GitHub handle @KutalVolkan.
.