Primary

Context

HashiCorp Nomad Exec2 Task Driver Arbitrary File Read/Write Vulnerability via Symlink Attack

Vulnerability

Patched

A vulnerability in HashiCorp Nomad's exec2 task driver, affecting versions prior to 0.1.2, allows for arbitrary file read and write on the client host. This is achieved through a symlink attack, where an attacker can manipulate named pipe symlinks for an allocation's log file. As a result, the attacker gains access to the Nomad host's filesystem with the privileges of the Nomad process user.

Impact

Exploitation of this vulnerability could lead to unauthorized read and write access on the client host's filesystem, potentially allowing for the manipulation of files or creation of malicious payloads.

Remediation

Users are advised to upgrade the exec2 task driver to version 0.1.2 or newer.

Added: May 12, 2026, 9:25 PM

Updated: May 12, 2026, 9:25 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

6.7

exploitability

4.9

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

6.7

exploitability

4.9

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HashiCorp Nomad Exec2 Task Driver Arbitrary File Read/Write Vulnerability via Symlink Attack

Vulnerability

Impact

Remediation

Affected Products

HashiCorp Nomad exec2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating