CVE-2026-6959 Overview
CVE-2026-6959 is a symlink attack vulnerability affecting HashiCorp Nomad and Nomad Enterprise prior to version 2.0.1. The flaw allows an attacker with high privileges on a Nomad client to perform arbitrary file read and write operations on the client host as the Nomad process user. The vulnerability is classified under CWE-59: Improper Link Resolution Before File Access. HashiCorp resolved the issue in Nomad versions 2.0.1, 1.11.5, and 1.10.11.
Critical Impact
An authenticated attacker can read and write arbitrary files on the Nomad client host using the privileges of the Nomad process user, enabling potential privilege escalation and integrity compromise.
Affected Products
- HashiCorp Nomad prior to 2.0.1
- HashiCorp Nomad Enterprise prior to 2.0.1
- Earlier branches fixed in 1.11.5 and 1.10.11
Discovery Timeline
- 2026-05-12 - CVE-2026-6959 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-6959
Vulnerability Analysis
The vulnerability stems from improper link resolution when the Nomad client process accesses files on the host. An attacker with sufficient privileges to submit or influence a job on a Nomad client can stage symbolic links that redirect file operations performed by the Nomad process. Because Nomad follows these links without validating that the target resides within an expected directory, the process performs reads and writes against attacker-chosen paths.
The impact is bounded to the client host where the malicious workload runs. However, the Nomad process typically runs with elevated privileges to manage tasks, container runtimes, and host resources. Writing to arbitrary locations as that user can corrupt configuration files, plant executables consumed by privileged processes, or overwrite credentials.
The scope change reflected in the CVSS vector indicates that exploitation crosses a trust boundary — a job running under Nomad's task isolation breaks out to affect host files outside the job's expected sandbox.
Root Cause
The root cause is missing validation of file path targets during operations executed by the Nomad client. When Nomad opens or writes to paths within task or allocation directories, it does not verify that path components are not symbolic links pointing outside those directories, a classic TOCTOU-adjacent symlink following flaw.
Attack Vector
Exploitation requires local access to a Nomad client and high privileges, typically the ability to submit or run a job. The attacker places symlinks within paths the Nomad client subsequently accesses. Nomad follows the link and performs the privileged read or write at the symlink target. No user interaction is required.
No public proof-of-concept is currently available. For technical details, refer to the HashiCorp Security Advisory HCSEC-2026-14.
Detection Methods for CVE-2026-6959
Indicators of Compromise
- Unexpected symbolic links inside Nomad allocation directories (alloc/, local/, secrets/) pointing outside the allocation root.
- Modifications to sensitive host files such as /etc/passwd, /etc/shadow, /etc/sudoers.d/, or /root/.ssh/authorized_keys with timestamps correlating to Nomad task execution.
- Nomad client logs showing file operations resolving to paths outside the data directory.
Detection Strategies
- Audit jobspecs and templates submitted to Nomad clusters for unusual file paths, template stanzas writing to absolute paths, or artifacts containing symlinks.
- Enable Linux audit rules (auditd) to log open, openat, symlink, and symlinkat syscalls performed by the Nomad process and alert on writes outside the configured data directory.
- Correlate Nomad allocation IDs with host filesystem changes using endpoint telemetry to surface tasks that touch unexpected paths.
Monitoring Recommendations
- Forward Nomad client logs and host audit data to a centralized SIEM for retention and correlation with job submission events.
- Monitor changes to system binaries, SSH keys, and service configuration files on Nomad client hosts.
- Track use of privileged Nomad ACL tokens and job submissions from non-standard users or service accounts.
How to Mitigate CVE-2026-6959
Immediate Actions Required
- Upgrade Nomad and Nomad Enterprise clients to 2.0.1, 1.11.5, or 1.10.11 depending on your release branch.
- Review and restrict Nomad ACL policies so that job submission privileges are limited to trusted operators and automation accounts.
- Rotate any credentials, tokens, or keys that may have been exposed on affected client hosts.
Patch Information
HashiCorp has released fixed builds in Nomad 2.0.1, 1.11.5, and 1.10.11. Patch details are documented in the HashiCorp Security Advisory HCSEC-2026-14. Operators should upgrade clients on a rolling basis to maintain workload availability.
Workarounds
- Restrict Nomad ACL capabilities to remove submit-job and dispatch-job from untrusted namespaces until patches are applied.
- Run Nomad clients with the least privilege necessary and avoid running the agent as root where workload requirements permit.
- Apply mandatory access controls such as SELinux or AppArmor profiles to constrain Nomad client file access to its data directory.
# Example: tighten a Nomad ACL policy to remove job submission from a namespace
namespace "default" {
policy = "read"
capabilities = ["read-job", "list-jobs"]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
