CVE-2026-2808
Arbitrary File Read in HashiCorp Consul Kubernetes Auth
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | consul | to 1.21.10 (inc) |
| hashicorp | consul | to 1.22.4 (inc) |
| hashicorp | consul | 1.18.21 |
| hashicorp | consul | 1.21.11 |
| hashicorp | consul | 1.22.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2808 is a vulnerability in HashiCorp Consul (Community and Enterprise editions) when configured with Kubernetes authentication and Vault as the Connect CA provider.
The issue occurs because Vault reads a Kubernetes ServiceAccount token from a file path defined by the `token_path` configuration parameter.
A privileged attacker with operator write permissions can manipulate this `token_path` to point to any file on the Consul server node, causing the contents of that file to be read and returned as JWT data during the Kubernetes authentication request.
This allows arbitrary file read and potential exfiltration of sensitive data from the Consul server host.
How can this vulnerability impact me? :
This vulnerability can allow a privileged attacker with operator write permissions to read arbitrary files on the Consul server host.
Such unauthorized file reads can lead to exposure of sensitive data stored on the server, including secrets, configuration files, or other confidential information.
This could compromise the security of your infrastructure and potentially lead to further attacks or data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when Consul is configured with the Kubernetes authentication method using Vault as the Connect CA provider, specifically involving manipulation of the token_path parameter to read arbitrary files.
Detection involves verifying if your Consul setup uses Kubernetes authentication with Vault and checking if the token_path configuration can be manipulated or points outside the predefined safe directories.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Consul to a fixed version: Consul Community Edition 1.22.5 or later, or Consul Enterprise versions 1.18.21, 1.21.11, or 1.22.5 and above.
The update restricts reading Kubernetes ServiceAccount tokens only from a predefined subset of directories, preventing arbitrary file reads.
Users should assess their risk and apply the upgrade promptly to avoid potential exfiltration of sensitive data.