Bulletin ID: HCSEC-2026-17
Affected Products / Versions: Terraform Enterprise v202506-1, v202507-1, and 1.0.0 through 2.0.3; fixed in Terraform Enterprise 2.0.4, 1.2.4.
Publication Date: July 6, 2026
Summary
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Background
Terraform Enterprise can create private registry modules from a version control system (VCS) repository. When ingesting a module, it clones the repository and packages the contents into a downloadable module artifact.
Details
Terraform Enterprise did not correctly enforce the intended boundary on the content packaged during VCS ingestion of registry modules. As a result, an authenticated user able to publish a registry module could cause files from outside the intended repository content to be included in the packaged module and then download the result, which may expose sensitive files readable by the ingestion process, such as application configuration and secrets. Exploitation requires the ability to create or publish a registry module and does not require host access or administrative privileges.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v2.0.4 or v1.2.4. As a potential mitigation, customers can remove module publishing permissions from untrusted users.
Acknowledgement
This issue was identified by the Terraform Enterprise engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.