HCSEC-2026-17

HCSEC-2026-17 - Terraform Enterprise vulnerable to arbitrary file read

Published
July 6, 2026
Last Modified

🔗 CVE IDs covered (1)

📋 Description

Bulletin ID: HCSEC-2026-17 Affected Products / Versions: Terraform Enterprise v202506-1, v202507-1, and 1.0.0 through 2.0.3; fixed in Terraform Enterprise 2.0.4, 1.2.4. Publication Date: July 6, 2026 Summary HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4. Background Terraform Enterprise can create private registry modules from a version control system (VCS) repository. When ingesting a module, it clones the repository and packages the contents into a downloadable module artifact. Details Terraform Enterprise did not correctly enforce the intended boundary on the content packaged during VCS ingestion of registry modules. As a result, an authenticated user able to publish a registry module could cause files from outside the intended repository content to be included in the packaged module and then download the result, which may expose sensitive files readable by the ingestion process, such as application configuration and secrets. Exploitation requires the ability to create or publish a registry module and does not require host access or administrative privileges. Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v2.0.4 or v1.2.4. As a potential mitigation, customers can remove module publishing permissions from untrusted users. Acknowledgement This issue was identified by the Terraform Enterprise engineering team. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of…

🎯 Affected products2

  • Terraform Enterprise
  • boundary

🔗 References (1)