Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

HashiCorp — Vulnerabilities & Security Advisories 93

Browse all 93 CVE security advisories affecting HashiCorp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HashiCorp develops infrastructure automation software, primarily known for Terraform, Vault, and Consul, which enable organizations to provision and secure cloud infrastructure. The company’s products have historically been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integration points or misconfigurations in how these tools interact with underlying systems. With 89 CVEs currently on record, the security landscape for HashiCorp tools reflects the inherent risks of widely adopted, high-privilege infrastructure management software. While no single catastrophic incident has defined the brand’s history, the volume of disclosed flaws highlights the challenges of maintaining security across a diverse ecosystem of plugins and integrations. Users must rigorously patch these tools to mitigate risks associated with unauthorized access or data exfiltration, ensuring that the powerful automation capabilities do not become vectors for systemic compromise.

Top products by HashiCorp: Vault Nomad Consul Shared library Boundary Vault Enterprise Tooling Terraform Enterprise Nomad Enterprise Vagrant go-getter Terraform
CVE IDTitleCVSSSeverityPublished
CVE-2026-7474 Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution — NomadCWE-22 8.8 High2026-05-12
CVE-2026-8052 Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack — Shared libraryCWE-59 6.0 Medium2026-05-12
CVE-2026-6959 Nomad vulnerable to arbitrary file read/write on client host through symlink attack — NomadCWE-59 6.0 Medium2026-05-12
CVE-2026-5061 Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack — ToolingCWE-59 4.7 Medium2026-05-12
CVE-2026-7776 Boundary Workers Vulnerable to Denial of Service During TLS Handshake — BoundaryCWE-770 7.5 High2026-05-04
CVE-2026-5807 Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations — VaultCWE-770 7.5 High2026-04-17
CVE-2026-4525 Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header — VaultCWE-201 7.5 High2026-04-17
CVE-2026-5052 Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS — VaultCWE-918 5.3 Medium2026-04-17
CVE-2026-3605 Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service — VaultCWE-288 8.1 High2026-04-17
CVE-2026-4660 Go-getter may allow to arbitrary filesystem reads through git operations — ToolingCWE-200 7.5 High2026-04-09
CVE-2026-2808 Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider — ConsulCWE-59 6.8 Medium2026-03-11
CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content — Shared libraryCWE-94 8.8 High2026-02-12
CVE-2025-13357 Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method — ToolingCWE-1188 7.4 High2025-11-21
CVE-2025-13432 Terraform Enterprise state versions can be created by users with specific permissions without sufficient write access — Terraform EnterpriseCWE-863 4.3 Medium2025-11-21
CVE-2025-11374 Consul's KV endpoint is vulnerable to denial of service — ConsulCWE-770 6.5 Medium2025-10-28
CVE-2025-11375 Consul's event endpoint is vulnerable to denial of service — ConsulCWE-770 6.5 Medium2025-10-28
CVE-2025-12044 Vault Vulnerable to Denial of Service Due to Rate Limit Regression — VaultCWE-770 7.5 High2025-10-23
CVE-2025-11621 Vault AWS auth method bypass due to AWS client cache — VaultCWE-288 8.1 High2025-10-23
CVE-2025-6203 Vault unauthenticated denial of service through complex json payload — VaultCWE-770 7.5 High2025-08-28
CVE-2025-8959 HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack — Shared libraryCWE-59 7.5 High2025-08-15
CVE-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias — VaultCWE-156 6.5 Medium2025-08-06
CVE-2025-6015 Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse — VaultCWE-307 5.7 Medium2025-08-01
CVE-2025-6011 Timing Side-Channel in Vault’s Userpass Auth Method — VaultCWE-203 3.7 Low2025-08-01
CVE-2025-6004 Vault Userpass and LDAP User Lockout Bypass — VaultCWE-307 5.3 Medium2025-08-01
CVE-2025-6037 Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates — VaultCWE-295 6.8 Medium2025-08-01
CVE-2025-6014 Vault TOTP Secrets Engine Code Reuse — VaultCWE-156 6.5 Medium2025-08-01
CVE-2025-6000 Arbitrary Remote Code Execution via Plugin Catalog Abuse — VaultCWE-94 9.1 Critical2025-08-01
CVE-2025-5999 Vault Root Namespace Operator May Elevate Token Privileges — VaultCWE-266 7.2 High2025-08-01
CVE-2025-4656 Vault Vulnerable to Recovery Key Cancellation Denial of Service — VaultCWE-1088 3.1 Low2025-06-25
CVE-2025-4922 Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job — NomadCWE-266 8.1 High2025-06-11

This page lists every published CVE security advisory associated with HashiCorp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.