Nomad 2.0.4 released

The Nomad team is happy to announce the release of Nomad 2.0.4!

The release includes a number of important security related fixes:

  • A bug where job authors could bypass `allow_privileged` and set `pid_mode` from the task definition’s Docker config block. This is CVE-2026-14891.

  • A bug where docker tasks could use a symlink to bypass the plugin configuration for volumes.enabled=false. This is CVE-2026-14896.

  • A bug with dynamic host volumes where users with `host-volume-delete` in one namespace could delete claims from another namespace.

The release also includes various bug fixes and enhancements, including:

  • Added a tunable parameter for the Vault default lease duration on templates for paths without leases

  • Add a `-kv-path` flag to `nomad setup vault` to configure the Vault KV mount used by the generated workload policy

  • A bug in the UI and API where jobs that share a ModifyIndex were omitted from the jobs page and the `/v1/jobs/statuses` endpoint

Please refer to the changelog for the complete list of improvements and bug fixes. We are also releasing backports of security fixes and bug fixes to Nomad Enterprise v1.11.8+ent and v1.10.14+ent.

Please read the upgrade guide for notes around upgrading and remember that downgrading is not supported. Please do not hesitate tofile an issue on GitHubif you encounter any issues.

Thanks,

The Nomad Team

2.0.4 Binaries - Nomad v2.0.4 Binaries | HashiCorp Releases

2.0.4 Changelog - Release v2.0.4 · hashicorp/nomad · GitHub

2.0.4 Release Notes - Nomad v2.0.x release notes | Nomad | HashiCorp Developer

1 Like