Path Traversal Vulnerability in HashiCorp Nomad and Nomad Enterprise
CVE-2026-7474

8.8HIGH

Key Information:

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-7474?

HashiCorp Nomad and Nomad Enterprise prior to version 2.0.1 are susceptible to a path traversal vulnerability that could allow an attacker to execute arbitrary code on the client host. This issue arises from inadequate validation of file paths in dynamic host volumes, potentially leading to unauthorized access and control of the affected systems. Users are advised to upgrade to the patched versions—Nomad 2.0.1, 1.11.5, and 1.10.11—to mitigate this risk.

Affected Version(s)

Nomad 64 bit 1.10.0 < 2.0.1

Nomad Enterprise 64 bit 1.10.0 < 2.0.1

References

https://discuss.hashicorp.com/t/hcsec-2026-15-nomad-vulne...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

This issue was reported to HashiCorp by Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research

CVE-2026-7474 Data

JSON

Hashicorp

What is CVE-2026-7474?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit