Primary

Context

HashiCorp Nomad Event Stream Namespace ACL Policy Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in both Nomad Community and Nomad Enterprise event streams that are configured with a wildcard namespace. This vulnerability allows for an ACL policy bypass, enabling unauthorized reads from other namespaces. The issue arises from a flaw in how ACL wildcards are validated, creating a discrepancy that can be exploited when using the event stream endpoint with a wildcard namespace.

Impact

Exploiting this vulnerability can lead to unauthorized access to event stream data from other namespaces, bypassing established ACL policies.

Remediation

Users should upgrade to Nomad Community Edition 1.9.6 or Nomad Enterprise 1.9.6, 1.8.10, or 1.7.18. For guidance on upgrading, refer to the Nomad Upgrade Guides.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HashiCorp Nomad Event Stream Namespace ACL Policy Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

HashiCorp Nomad

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating