Bulletin ID: HCSEC-2026-12
Affected Products / Versions: Consul-template up to 0.41.4; fixed in 0.42.0.
Publication Date: May 12, 2026
Summary
The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
Background
The file template function reads a local file from disk and renders its contents into the template output. It also watches the file for changes. When a file is modified, consul-template automatically re-renders the template. The sandbox_path restricts which local files the file function is allowed to read and ensures the path passed falls within the given directory tree.
Details
During template evaluation the file template helper enforces the sandbox_path, but the later dependency fetch reads the original input path without rechecking the sandbox_path. This creates a time-of-check time-of-use gap. An attacker can retarget a symlink after the initial validation but before the dependency fetch, the fetch can read an out-of-sandbox file. If the attacker restores the safe target before the next render, the second validation still passes and the template consumes the already-cached out-of-sandbox content.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to consul-template 0.42.0.
Acknowledgement
This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.