HCSEC-2026-20 - Consul-template vulnerable to path redirections in writeToFile

Bulletin ID: HCSEC-2026-20

Affected Products / Versions: Consul-template up to and including 0.42.0; fixed in 0.42.1.

Publication Date: July 8, 2026

Summary

The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.

Background

The writeToFile template function writes rendered template content to a local file on disk, creating the parent directory if it does not already exist and applying the configured owner, group, and permissions. It is commonly used to persist rendered output, including certificate and private key material, to an operator-specified path.

Details

The writeToFile helper opens the destination path directly and follows symbolic links, directory junctions, and similar filesystem redirections present in the target path, rather than resolving and validating the final location before writing. If an attacker can pre-position such a link in or beneath the target path before the write occurs, the helper writes the rendered content to the redirected location, which may be outside the operator’s intended directory, and can overwrite a preexisting file at that location. Exploitation requires local access sufficient to create or modify path components beneath the intended write location, and the impact is greater when consul-template runs with elevated privileges or writes sensitive material such as keys and certificates.

Remediation

Customers should evaluate the risk associated with this issue and consider upgrading to consul-template 0.42.1.

Acknowledgement

This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.