CVE-2026-2808
Received Received - Intake
Arbitrary File Read in HashiCorp Consul Kubernetes Auth

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: HashiCorp Inc.

Description
HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2808
EUVD
EUVD-2026-11487
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
hashicorp consul to 1.21.10 (inc)
hashicorp consul to 1.22.4 (inc)
hashicorp consul 1.18.21
hashicorp consul 1.21.11
hashicorp consul 1.22.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2808 is a vulnerability in HashiCorp Consul (Community and Enterprise editions) when configured with Kubernetes authentication and Vault as the Connect CA provider.

The issue occurs because Vault reads a Kubernetes ServiceAccount token from a file path defined by the `token_path` configuration parameter.

A privileged attacker with operator write permissions can manipulate this `token_path` to point to any file on the Consul server node, causing the contents of that file to be read and returned as JWT data during the Kubernetes authentication request.

This allows arbitrary file read and potential exfiltration of sensitive data from the Consul server host.

Impact Analysis

This vulnerability can allow a privileged attacker with operator write permissions to read arbitrary files on the Consul server host.

Such unauthorized file reads can lead to exposure of sensitive data stored on the server, including secrets, configuration files, or other confidential information.

This could compromise the security of your infrastructure and potentially lead to further attacks or data breaches.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises when Consul is configured with the Kubernetes authentication method using Vault as the Connect CA provider, specifically involving manipulation of the token_path parameter to read arbitrary files.

Detection involves verifying if your Consul setup uses Kubernetes authentication with Vault and checking if the token_path configuration can be manipulated or points outside the predefined safe directories.

No specific detection commands are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade Consul to a fixed version: Consul Community Edition 1.22.5 or later, or Consul Enterprise versions 1.18.21, 1.21.11, or 1.22.5 and above.

The update restricts reading Kubernetes ServiceAccount tokens only from a predefined subset of directories, preventing arbitrary file reads.

Users should assess their risk and apply the upgrade promptly to avoid potential exfiltration of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart