HCSEC-2026-13 - Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack

Bulletin ID: HCSEC-2026-13 Affected Products / Versions: Nomad exec2 task driver up to 0.1.1; fixed in version 0.1.2. Publication Date: May 12, 2026 Summary HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver. Background Nomad workloads are run by task drivers that implement various levels of filesystem isolation from the Nomad client host. Tasks within a workload allocation share a directory where logs are written. This directory is typically a bind mount from the host’s filesystem that contains the log files and named pipes that capture stdout and stderr from the workload. Details An attacker with permission to launch a malicious Nomad task may be able to manipulate the named pipe symlinks for an allocation’s log file, allowing read/write access to the Nomad host’s filesystem with the privileges of the Nomad process user. Remediation Customers should evaluate the risk associated with this issue and consider upgrading the exec2 task driver to 0.1.2 or newer. Acknowledgement This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter). We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. 1 post - 1 participant Read full topic