HCSEC-2026-14 - Nomad arbitrary file read/write on client host through symlink attack

Bulletin ID: HCSEC-2026-14 Affected Products / Versions: Nomad Community Edition from 0.9 up to 2.0.0, fixed in 2.0.1; Nomad Enterprise from 0.9 up to 2.0.0, fixed in 2.0.1, 1.11.5, and 1.10.11. Publication Date: May 12, 2026 Summary HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11. Background Nomad workloads are run by task drivers that implement various levels of filesystem isolation from the Nomad client host. Tasks within a workload allocation share a directory where logs are written. This directory is typically a bind mount from the host’s filesystem that contains the log files and named pipes that capture stdout and stderr from the workload. Details An attacker with permission to launch a malicious Nomad task may be able to manipulate the named pipe symlinks for an allocation’s log file, allowing read/write access to the Nomad host’s filesystem with the privileges of the Nomad process user. Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 2.0.1, 1.11.5, 1.10.11, or newer. Acknowledgement This issue was identified by Alex Manson (Aiven / NeuroWinter) We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. 1 post - 1 participant Read full topic