Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

HashiCorp — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting HashiCorp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HashiCorp develops infrastructure automation software, primarily known for Terraform, Vault, and Consul, which enable organizations to provision and secure cloud infrastructure. The company’s products have historically been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integration points or misconfigurations in how these tools interact with underlying systems. With 89 CVEs currently on record, the security landscape for HashiCorp tools reflects the inherent risks of widely adopted, high-privilege infrastructure management software. While no single catastrophic incident has defined the brand’s history, the volume of disclosed flaws highlights the challenges of maintaining security across a diverse ecosystem of plugins and integrations. Users must rigorously patch these tools to mitigate risks associated with unauthorized access or data exfiltration, ensuring that the powerful automation capabilities do not become vectors for systemic compromise.

Top products by HashiCorp: Vault Nomad Consul Shared library Boundary Vault Enterprise Tooling Terraform Enterprise Nomad Enterprise Vagrant go-getter Terraform
CVE IDTitleCVSSSeverityPublished
CVE-2026-7776 Boundary Workers Vulnerable to Denial of Service During TLS Handshake — BoundaryCWE-770 7.5 High2026-05-04
CVE-2026-5807 Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations — VaultCWE-770 7.5 High2026-04-17
CVE-2026-4525 Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header — VaultCWE-201 7.5 High2026-04-17
CVE-2026-5052 Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS — VaultCWE-918 5.3 Medium2026-04-17
CVE-2026-3605 Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service — VaultCWE-288 8.1 High2026-04-17
CVE-2026-4660 Go-getter may allow to arbitrary filesystem reads through git operations — ToolingCWE-200 7.5 High2026-04-09
CVE-2026-2808 Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider — ConsulCWE-59 6.8 Medium2026-03-11
CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content — Shared libraryCWE-94 8.8 High2026-02-12
CVE-2025-13357 Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method — ToolingCWE-1188 7.4 High2025-11-21
CVE-2025-13432 Terraform Enterprise state versions can be created by users with specific permissions without sufficient write access — Terraform EnterpriseCWE-863 4.3 Medium2025-11-21
CVE-2025-11374 Consul's KV endpoint is vulnerable to denial of service — ConsulCWE-770 6.5 Medium2025-10-28
CVE-2025-11375 Consul's event endpoint is vulnerable to denial of service — ConsulCWE-770 6.5 Medium2025-10-28
CVE-2025-12044 Vault Vulnerable to Denial of Service Due to Rate Limit Regression — VaultCWE-770 7.5 High2025-10-23
CVE-2025-11621 Vault AWS auth method bypass due to AWS client cache — VaultCWE-288 8.1 High2025-10-23
CVE-2025-6203 Vault unauthenticated denial of service through complex json payload — VaultCWE-770 7.5 High2025-08-28
CVE-2025-8959 HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack — Shared libraryCWE-59 7.5 High2025-08-15
CVE-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias — VaultCWE-156 6.5 Medium2025-08-06
CVE-2025-6015 Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse — VaultCWE-307 5.7 Medium2025-08-01
CVE-2025-6011 Timing Side-Channel in Vault’s Userpass Auth Method — VaultCWE-203 3.7 Low2025-08-01
CVE-2025-6004 Vault Userpass and LDAP User Lockout Bypass — VaultCWE-307 5.3 Medium2025-08-01
CVE-2025-6037 Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates — VaultCWE-295 6.8 Medium2025-08-01
CVE-2025-6014 Vault TOTP Secrets Engine Code Reuse — VaultCWE-156 6.5 Medium2025-08-01
CVE-2025-6000 Arbitrary Remote Code Execution via Plugin Catalog Abuse — VaultCWE-94 9.1 Critical2025-08-01
CVE-2025-5999 Vault Root Namespace Operator May Elevate Token Privileges — VaultCWE-266 7.2 High2025-08-01
CVE-2025-4656 Vault Vulnerable to Recovery Key Cancellation Denial of Service — VaultCWE-1088 3.1 Low2025-06-25
CVE-2025-4922 Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job — NomadCWE-266 8.1 High2025-06-11
CVE-2025-3744 Nomad Vulnerable To Violation Of Mandatory Sentinel Policies in Nomad Job Submissions via Policy Override — Nomad EnterpriseCWE-266 7.6 High2025-05-13
CVE-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login — VaultCWE-863 6.6 Medium2025-05-02
CVE-2025-4166 Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin — VaultCWE-209 4.5 Medium2025-05-02
CVE-2025-1296 Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs — NomadCWE-532 6.5 Medium2025-03-10

This page lists every published CVE security advisory associated with HashiCorp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.