Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN495
_____________________________________________________________________

DATE                : 13/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nomad Community Edition versions
                                      prior to 2.0.1,
            Nomad Enterprise versions prior to 2.0.1, 1.11.5, 1.10.11.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2026-15-nomad-vulnerable-to-path-traversal-in-dynamic-host-volume-which-may-lead-to-code-execution/77417
https://discuss.hashicorp.com/t/hcsec-2026-14-nomad-arbitrary-file-read-write-on-client-host-through-symlink-attack/77416
_____________________________________________________________________

HCSEC-2026-15 - Nomad vulnerable to path traversal in dynamic host
volume which may lead to code execution

Bulletin ID: HCSEC-2026-15
Affected Products / Versions: Nomad Community Edition from 1.10.0
up to 2.0.0, fixed in 2.0.1; Nomad Enterprise from 1.10.0 up to
2.0.0, fixed in 2.0.1, 1.11.5, and 1.10.11.
Publication Date: May 12, 2026

Summary
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to
code execution on the client host through a path traversal attack.
This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5
and 1.10.11.

Background
Nomad’s Dynamic Host Volumes feature allows the cluster admin to allow
authorized users to create volumes on the client host. These volumes
can be provisioned with Nomad’s built-in “mkdir” plugin, or they can
utilize an external plugin that has been added to the host’s plugin
directory by a cluster admin. These plugins are executables that are
expected to dynamically configure persistent storage on the Nomad
client node. The plugin is executed as the same user as the Nomad
agent (likely root).

Details
A user with host-volume-create and read access to nodes can submit a
host-volume create request that specifies a target node identifier
and plugin identifier that traverses out of the plugin directory and
executes a non-plugin executable as the same user as the Nomad agent.

Remediation
Customers should evaluate the risk associated with this issue and
consider upgrading to Nomad Community Edition 2.0.1 or Nomad Enterprise
2.0.1, 1.11.5, or 1.10.11.
Nomad Enterprise customers that are unable to upgrade can implement a
Sentinel policy to disable external plugins. The following policy
disables any plugin_id except the built-in mkdir:

# policy.hcl
is_allowed_plugin = func() {
  print("only mkdir plugins allowed")
  return volume.plugin_id == "mkdir"
}
main = rule { is_allowed_plugin() }

This policy can be applied to Nomad Enterprise clusters with:
nomad sentinel apply -level hard-mandatory -scope=submit-host-volume mkdironly ./policy.hcl.


Acknowledgement
This issue was reported to HashiCorp by Adrian Denkiewicz at
Doyensec in collaboration with Claude and Anthropic Research.

We deeply appreciate any effort to coordinate disclosure of
security vulnerabilities. For information about security at
HashiCorp and the reporting of security vulnerabilities,
please see https://hashicorp.com/security.

_____________________________________________________________________

HCSEC-2026-14 - Nomad arbitrary file read/write on client host
through symlink attack


May 12
james.warren

Bulletin ID: HCSEC-2026-14
Affected Products / Versions: Nomad Community Edition from 0.9 up to
2.0.0, fixed in 2.0.1; Nomad Enterprise from 0.9 up to 2.0.0, fixed
in 2.0.1, 1.11.5, and 1.10.11.
Publication Date: May 12, 2026

Summary
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to
arbitrary file read and write on the client host as the Nomad process
user through a symlink attack. This vulnerability (CVE-2026-6959) is
fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

Background
Nomad workloads are run by task drivers that implement various levels
of filesystem isolation from the Nomad client host. Tasks within a
workload allocation share a directory where logs are written. This
directory is typically a bind mount from the host’s filesystem that
contains the log files and named pipes that capture stdout and stderr
from the workload.

Details
An attacker with permission to launch a malicious Nomad task may be
able to manipulate the named pipe symlinks for an allocation’s log file,
allowing read/write access to the Nomad host’s filesystem with the
privileges of the Nomad process user.

Remediation
Customers should evaluate the risk associated with this issue and
consider upgrading to Nomad 2.0.1, 1.11.5, 1.10.11, or newer.

Acknowledgement
This issue was identified by Alex Manson (Aiven / NeuroWinter)

We deeply appreciate any effort to coordinate disclosure of security
vulnerabilities. For information about security at HashiCorp and the
reporting of security vulnerabilities, please see
https://hashicorp.com/security.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================