CVE-2026-7474 Overview
CVE-2026-7474 is a path traversal vulnerability [CWE-22] affecting HashiCorp Nomad and Nomad Enterprise prior to version 2.0.1. The flaw resides in the dynamic host volume feature and allows an authenticated attacker to escape the intended volume directory. Successful exploitation leads to code execution on the Nomad client host. HashiCorp addressed the issue in Nomad 2.0.1, 1.11.5, and 1.10.11.
Critical Impact
Authenticated attackers can traverse outside dynamic host volume boundaries on Nomad clients to write or access arbitrary files, resulting in code execution on the workload host.
Affected Products
- HashiCorp Nomad prior to 2.0.1
- HashiCorp Nomad Enterprise prior to 2.0.1
- Nomad 1.11.x prior to 1.11.5 and 1.10.x prior to 1.10.11
Discovery Timeline
- 2026-05-12 - CVE-2026-7474 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7474
Vulnerability Analysis
The vulnerability stems from insufficient validation of file paths supplied to Nomad's dynamic host volume functionality. Nomad allows operators and job submitters to define host volumes that map directories on the client node into running workloads. When the volume path is not properly canonicalized, an attacker can supply traversal sequences such as ../ to reference directories outside the intended volume root.
Because Nomad client agents typically run with elevated privileges to manage workloads and host resources, files written or executed through the traversal inherit those privileges. This converts a directory-scoping issue into full code execution on the client host. The flaw is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).
Root Cause
The dynamic host volume handler accepts path inputs without rejecting traversal segments or resolving symbolic links before mounting. Path normalization happens after the volume is bound, allowing an attacker-controlled location to be exposed inside the workload's filesystem namespace. Refer to HashiCorp Advisory HCSEC-2026-15 for vendor technical details.
Attack Vector
An attacker with low-privilege access to the Nomad API or the ability to submit jobs can craft a job specification that defines a dynamic host volume pointing outside the permitted volume directory. When the Nomad client schedules the workload, the malicious path is bound into the task, allowing the attacker to read sensitive files, overwrite binaries, or drop executable payloads that run with client agent privileges.
Detection Methods for CVE-2026-7474
Indicators of Compromise
- Job specifications or API requests containing .., encoded traversal sequences, or absolute paths in dynamic host volume definitions.
- Unexpected files written outside configured host_volume directories on Nomad client nodes.
- New or modified binaries in system directories on hosts running the Nomad client agent.
- Nomad client logs showing volume mounts that resolve to paths outside the declared volume root.
Detection Strategies
- Audit Nomad job submissions and API calls for dynamic host volume payloads containing path traversal patterns.
- Compare resolved mount paths in Nomad client logs against the configured allow-list of host volume directories.
- Monitor process execution lineage from the Nomad client agent for unexpected child processes or shell invocations.
Monitoring Recommendations
- Enable verbose audit logging on the Nomad API and forward events to a centralized analytics platform.
- Alert on file integrity changes in sensitive directories such as /etc, /usr/bin, and Nomad's data directory.
- Track ACL token usage for job submission and flag tokens that begin defining host volumes outside their normal pattern.
How to Mitigate CVE-2026-7474
Immediate Actions Required
- Upgrade Nomad and Nomad Enterprise to 2.0.1, 1.11.5, or 1.10.11 as appropriate for your release branch.
- Rotate Nomad ACL tokens that may have been exposed to untrusted operators.
- Review recent job submissions for suspicious dynamic host volume definitions.
Patch Information
HashiCorp released fixed versions in Nomad 2.0.1, 1.11.5, and 1.10.11. Patch details and download links are available in HashiCorp Advisory HCSEC-2026-15.
Workarounds
- Restrict ACL policies so that only trusted operators can submit jobs that define host volumes.
- Disable dynamic host volume features on Nomad clients where they are not required.
- Apply strict allow-lists for host paths exposed to workloads using host_volume stanzas in client configuration.
# Configuration example: restrict host volume usage via ACL policy
namespace "default" {
policy = "read"
capabilities = ["submit-job"]
}
host_volume "*" {
policy = "deny"
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
