HCSEC-2026-19 - Nomad Docker driver vulnerable to host namespace bypass on Linux
🔗 CVE IDs covered (1)
📋 Description
Bulletin ID: HCSEC-2026-19 Affected Products / Versions: Nomad and Nomad Enterprise up to 2.0.3; fixed in Nomad 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14. Publication Date: July 8, 2026 Summary HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver’s host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14. Background The Nomad Docker task driver runs workloads as containers on a client node. The driver supports Linux namespace mode options, including the process (PID), IPC, user, and UTS namespace modes, that can place a container in the host’s namespace instead of an isolated one. Nomad’s documentation states that these host namespace modes require the client’s allow_privileged driver option to be enabled. Details The Docker task driver passed the process, IPC, user, and UTS namespace mode options from a submitted job to the Docker daemon without enforcing the allow_privileged restriction described in its documentation. As a result, an authenticated user able to submit Docker driver jobs could place a container in a host namespace even on clients where allow_privileged was disabled. Running a task in the host process namespace, for example, allows the container to enumerate host processes and read their environment, which may expose sensitive information such as tokens or credentials held by the Nomad agent or by other allocations on the same client. Exploitation requires the ability to submit Docker driver jobs to the cluster. These host namespace modes are specific to Linux, so the issue affects Linux clients running Linux containers; Windows container workloads are not affected. Remediation Customers should evaluate the…
🎯 Affected products2
- Nomad
- Nomad Enterprise