Denial-of-Service Vulnerability in Boundary by HashiCorp
CVE-2026-7776

7.5HIGH

Key Information:

Vendor: Hashicorp
Status: Boundary; Boundary Enterprise
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-7776?

The Boundary Community Edition and Boundary Enterprise products developed by HashiCorp are exposed to a denial-of-service vulnerability during TLS handshakes related to node enrollment. An attacker with network access to the worker authentication listener can exploit this vulnerability by opening a connection and intentionally delaying or withholding the client certificate during the TLS handshake process. This action may lead to the blocking of worker connection handling, thereby hindering the acceptance or routing of legitimate worker connections. The vulnerability has been addressed in Boundary versions 0.21.3, 0.20.3, and 0.19.5.

Affected Version(s)

Boundary 64 bit 0.9.0 < 0.21.3

Boundary Enterprise 64 bit 0.9.0 < 0.21.3

References

https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-wo...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
May 4, 2026

Credit

This issue was identified by the Boundary Engineering team.

CVE-2026-7776 Data

JSON

Hashicorp

What is CVE-2026-7776?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit