logo

Database

Lack of data validation - Path Traversal In github.com/hashicorp/nomad

Description

HashiCorp Nomad vulnerable to a path traversal HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-74742. NVD-2026-74743. OSV-2026-74744. GCVE-2026-7474

References

1. https://github.com/hashicorp/nomad/commit/cd7240c4099ad33eda279924fb3a9459b162d1202. https://discuss.hashicorp.com/t/hcsec-2026-15-nomad-vulnerable-to-path-traversal-in-dynamic-host-volume-which-may-lead-to-code-execution/774173. https://github.com/hashicorp/nomad/releases/tag/v2.0.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.