Bulletin ID: HCSEC-2026-13
Affected Products / Versions: Nomad exec2 task driver up to 0.1.1; fixed in version 0.1.2.
Publication Date: May 12, 2026
Summary
HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.
Background
Nomad workloads are run by task drivers that implement various levels of filesystem isolation from the Nomad client host. Tasks within a workload allocation share a directory where logs are written. This directory is typically a bind mount from the host’s filesystem that contains the log files and named pipes that capture stdout and stderr from the workload.
Details
An attacker with permission to launch a malicious Nomad task may be able to manipulate the named pipe symlinks for an allocation’s log file, allowing read/write access to the Nomad host’s filesystem with the privileges of the Nomad process user.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading the exec2 task driver to 0.1.2 or newer.
Acknowledgement
This issue was identified by the Nomad engineering team in conjunction with Alex Manson (Aiven / NeuroWinter).
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.