Bulletin ID: HCSEC-2026-15
Affected Products / Versions: Nomad Community Edition from 1.10.0 up to 2.0.0, fixed in 2.0.1; Nomad Enterprise from 1.10.0 up to 2.0.0, fixed in 2.0.1, 1.11.5, and 1.10.11.
Publication Date: May 12, 2026
Summary
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Background
Nomad’s Dynamic Host Volumes feature allows the cluster admin to allow authorized users to create volumes on the client host. These volumes can be provisioned with Nomad’s built-in “mkdir” plugin, or they can utilize an external plugin that has been added to the host’s plugin directory by a cluster admin. These plugins are executables that are expected to dynamically configure persistent storage on the Nomad client node. The plugin is executed as the same user as the Nomad agent (likely root).
Details
A user with host-volume-create and read access to nodes can submit a host-volume create request that specifies a target node identifier and plugin identifier that traverses out of the plugin directory and executes a non-plugin executable as the same user as the Nomad agent.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad Community Edition 2.0.1 or Nomad Enterprise 2.0.1, 1.11.5, or 1.10.11.
Nomad Enterprise customers that are unable to upgrade can implement a Sentinel policy to disable external plugins. The following policy disables any plugin_id except the built-in mkdir:
# policy.hcl
is_allowed_plugin = func() {
print("only mkdir plugins allowed")
return volume.plugin_id == "mkdir"
}
main = rule { is_allowed_plugin() }
This policy can be applied to Nomad Enterprise clusters with: nomad sentinel apply -level hard-mandatory -scope=submit-host-volume mkdironly ./policy.hcl.
Acknowledgement
This issue was reported to HashiCorp by Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.