Primary

Context

HashiCorp Consul and Consul Enterprise Arbitrary File Read Vulnerability in Kubernetes Authentication

Vulnerability

Patched

A vulnerability allowing arbitrary file read has been identified in HashiCorp Consul and Consul Enterprise versions 1.18.20 prior to 1.21.10 and 1.22.4. This issue arises when Consul is configured to use Kubernetes authentication, allowing a privileged attacker to exploit the vulnerability by reading files from the Consul server host, potentially leading to unauthorized access to sensitive data.

Impact

Exploitation of this vulnerability could result in unauthorized arbitrary file reads from the Consul server host, with the potential for sensitive data leakage.

Remediation

Users are advised to upgrade to Consul Community Edition 1.22.5 or Consul Enterprise versions 1.18.21, 1.21.11 or 1.22.5. Consult Consul's upgrading documentation for guidance on the upgrade process.

Added: Mar 12, 2026, 12:22 AM

Updated: Mar 12, 2026, 12:22 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.8

exploitability

4.4

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.8

exploitability

4.4

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HashiCorp Consul and Consul Enterprise Arbitrary File Read Vulnerability in Kubernetes Authentication

Vulnerability

Impact

Remediation

Affected Products

HashiCorp Consul

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating