Cross-Namespace Authorization Bypass in HashiCorp Nomad Products
CVE-2026-14896

4.2MEDIUM

Key Information:

Vendor

Hashicorp

Vendor
CVE Published:
8 July 2026

What is CVE-2026-14896?

HashiCorp Nomad and Nomad Enterprise exhibit a critical flaw that allows an operator with host volume deletion rights in one namespace to inadvertently delete a sticky volume claim from a job located in another namespace. This misconfiguration can lead to severe operational disruptions across isolated environments, impacting data integrity and availability. The issue is addressed in Nomad Community Edition 2.0.4 and updates for Nomad Enterprise in versions 2.0.4, 1.11.8, and 1.10.14.

Affected Version(s)

Nomad 64 bit 0.4.1 < 2.0.4

Nomad Enterprise 64 bit 0.4.1 < 2.0.4

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was reported to HashiCorp by George Chen.
.