Volerion logoVolerion
Volerion logoVolerion

HashiCorp Nomad Workload Identity and Client Secret Token Exposure in Audit Logs Vulnerability

Vulnerability

A vulnerability exists in HashiCorp Nomad Community and Enterprise editions, allowing unintentional exposure of sensitive tokens in audit logs. This issue affects Nomad Community Edition versions 1.0.0 through 1.9.6 and Nomad Enterprise versions 1.0.0 through 1.9.6, 1.8.10, and 1.7.18. The vulnerability arises from a logging utility that records unredacted workload identity tokens and client secret tokens, which could be accessed by unauthorized individuals, potentially leading to impersonation of users or access to protected resources.

Impact

Exposed workload identity tokens could allow impersonation of users or access to protected resources, facilitated by the exposed client secret tokens in the logs.

Remediation

Users are advised to upgrade to Nomad Community Edition 1.9.7 or Nomad Enterprise 1.9.7, 1.8.11, or 1.7.19.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
2.6
impact
2.5
exploitability
4.9
remediation
7.7
relevance
0.0
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.