Bulletin ID: HCSEC-2026-22
Affected Products / Versions: Nomad and Nomad Enterprise up to 2.0.3; fixed in Nomad 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
Publication Date: July 8, 2026
Summary
HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
Background
Nomad’s dynamic host volumes allow allocations to request persistent storage on a host. Sticky volumes let a task group’s allocation be rescheduled onto the same host volume it previously used, and Nomad tracks this association through per-namespace task group host volume claims. Access to these claims is governed by namespaced ACL capabilities, so operators can manage only the objects within namespaces they are authorized for.
Details
Nomad did not consistently verify that a sticky volume claim targeted for deletion belonged to the namespace the requester was authorized for. As a result, an operator with the host volume delete permission in one namespace could delete a claim associated with a job in a different namespace. This issue requires an authenticated operator holding the relevant permission in at least one namespace. The primary impact is to scheduling correctness: once an affected allocation is rescheduled, migrated, or updated, it might not be placed on the same host volume.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad Community Edition 2.0.4 or Nomad Enterprise 2.0.4, 1.11.8, or 1.10.14.
Acknowledgement
This issue was reported to HashiCorp by George Chen.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.