Arbitrary File Read and Write Vulnerability in HashiCorp Nomad and Nomad Enterprise
CVE-2026-6959

6MEDIUM

Key Information:

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-6959?

HashiCorp Nomad and Nomad Enterprise prior to version 2.0.1 are impacted by a significant security vulnerability that allows attackers to exploit symlink attacks. This vulnerability enables arbitrary file read and write operations on the client host, posing serious risks to system integrity and confidentiality. The issue has been addressed in versions 2.0.1, 1.11.5, and 1.10.11, suggesting immediate upgrades for users to mitigate potential security threats.

Affected Version(s)

Nomad 64 bit 0.9.0 < 2.0.1

Nomad Enterprise 64 bit 0.9.0 < 2.0.1

References

https://discuss.hashicorp.com/t/hcsec-2026-14-nomad-arbit...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

This issue was identified by Alex Manson (Aiven / NeuroWinter).

CVE-2026-6959 Data

JSON

Hashicorp

What is CVE-2026-6959?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit