HCSEC-2025-04 - Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs

Bulletin ID: HCSEC-2025-04
Affected Products / Versions:
Nomad Community Edition from 1.0.0 up to 1.9.6, fixed in 1.9.7.
Nomad Enterprise from 1.0.0 up to 1.9.6, 1.8.10, 1.7.18, fixed in 1.9.7, 1.8.11, and 1.7.19.

Publication Date: March 10, 2025

Summary
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

Background
Nomad’s audit block configuration allows it to enable audit logs, defines a sink to stream audit logs to, and modify filter rules to exclude events from the audit log. The workload identity feature is used to grant permission to a Nomad task within an allocation, via a JWT signed by the leader’s keyring. The OIDC Client Secret is the OAuth client secret configured with your OIDC provider that can be set under Config (ACLAuthMethodConfig) block in the ACL auth methods HTTP API.

Details
It was discovered that a logging utility within Nomad would write the unredacted workload identity token and client secret token to its event stream and log file. As a result, a potential unauthorized access to these logs could expose workload identity tokens, allowing attackers to impersonate users or gain access to protected resources through the exposed client secret token in logs.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.7, 1.8.11, 1.7.19, or newer.

Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams, in collaboration with HashiCorp’s support engineering teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.