CVE-2026-8052 Overview
CVE-2026-8052 affects HashiCorp Nomad's exec2 task driver in versions prior to 0.1.2. The vulnerability allows a malicious task to perform arbitrary file read and write operations on the client host through a symlink attack [CWE-59]. The attacker operates with the privileges of the Nomad process user, which is typically root or a highly privileged service account. HashiCorp addressed the issue in exec2 task driver version 0.1.2 and disclosed details in security advisory HCSEC-2026-13.
Critical Impact
An authenticated user with permission to submit jobs can read and overwrite arbitrary files on Nomad client hosts, enabling host compromise and lateral movement across the cluster.
Affected Products
- HashiCorp Nomad exec2 task driver versions prior to 0.1.2
- Nomad client nodes running the exec2 task driver plugin
- Clusters where job submitters are not fully trusted with host-level access
Discovery Timeline
- 2026-05-12 - CVE-2026-8052 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8052
Vulnerability Analysis
The exec2 task driver is a HashiCorp Nomad plugin that executes workloads inside lightweight, sandboxed processes on client nodes. The driver must perform file system operations on behalf of the task, including staging task directories and handling allocation paths. The flaw is a Symlink Attack [CWE-59], in which the task driver follows attacker-controlled symbolic links when reading or writing files. Because these operations execute as the Nomad process user, file accesses occur outside the intended allocation directory.
Root Cause
The exec2 driver does not adequately validate that target paths resolve within the expected task sandbox before performing file operations. A task author can place a symlink inside a writable directory that the driver later follows. This pattern matches a Time-of-Check Time-of-Use (TOCTOU) class of symlink handling failures common in privileged file operations.
Attack Vector
An attacker requires local access in the form of authority to submit a Nomad job that runs on a client using the exec2 driver. The job payload plants a symlink that points to a sensitive host path such as /etc/shadow, /root/.ssh/authorized_keys, or a Nomad TLS key file. When the driver reads or writes through that path, it operates on the linked target instead of the file inside the allocation. This grants read access to host secrets and write access for persistence or privilege escalation as the Nomad process user. The flaw does not affect availability and does not expose confidentiality of unrelated data on the network.
No public exploit code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability mechanism is described in the HashiCorp Security Advisory HCSEC-2026-13.
Detection Methods for CVE-2026-8052
Indicators of Compromise
- Symbolic links inside Nomad allocation directories (alloc/, local/, secrets/) pointing to paths outside the allocation root
- Unexpected modifications to sensitive host files such as /etc/passwd, /etc/shadow, /etc/sudoers, or ~/.ssh/authorized_keys on Nomad client hosts
- Nomad client logs showing exec2 task driver file operations that resolve to paths outside the task working directory
Detection Strategies
- Audit all running exec2 task driver versions across the fleet and flag any instance below 0.1.2
- Enable Linux audit rules (auditd) on Nomad client hosts to log file access by the Nomad process user outside /opt/nomad/data/alloc/
- Inspect job specifications for tasks that create symlinks during template or artifact stages and correlate with file accesses on host paths
Monitoring Recommendations
- Forward Nomad client logs and host audit logs to a centralized analytics platform and alert on writes to system configuration files by the Nomad user
- Track changes to the SHA hash of the exec2 driver binary on each client and verify it matches the 0.1.2 release
- Establish baselines for normal exec2 task file activity and alert on deviations such as access to /etc, /root, or /var/lib/nomad/server
How to Mitigate CVE-2026-8052
Immediate Actions Required
- Upgrade the exec2 task driver to version 0.1.2 or later on every Nomad client node that runs it
- Restrict Nomad ACL policies so that only trusted namespaces and operators can submit jobs using the exec2 driver
- Review existing allocations for symlinks that point outside their allocation directory and terminate suspicious jobs
- Rotate credentials, TLS keys, and SSH authorized keys that may have been exposed on affected client hosts
Patch Information
HashiCorp fixed the vulnerability in exec2 task driver version 0.1.2. Download the updated plugin binary from the HashiCorp release channel and deploy it to the Nomad plugin directory on each client, then restart the Nomad agent. Refer to the HashiCorp Security Advisory HCSEC-2026-13 for the complete fix description.
Workarounds
- Disable the exec2 task driver on client nodes until the patched version is deployed by removing the plugin from the Nomad plugin directory
- Use Nomad ACL policies to deny submit-job capability for the namespace where the exec2 driver is enabled to non-administrative users
- Run the Nomad client agent under a dedicated unprivileged user where operationally feasible to limit the blast radius of arbitrary file read and write
# Configuration example: disable exec2 driver in Nomad client config
plugin "exec2" {
config {
enabled = false
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
