CVE-2026-14891
Received Received - Intake

Sandbox Escape via Docker Bind Mount in HashiCorp Nomad

Vulnerability report for CVE-2026-14891, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: HashiCorp Inc.

Description

HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
hashicorp nomad 2.0.4
hashicorp nomad_enterprise 2.0.4
hashicorp nomad_enterprise 1.11.8
hashicorp nomad_enterprise 1.10.14

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized reading and writing of files on the host system by escaping the Docker task driver's sandbox. Such unauthorized access to host files can lead to exposure or modification of sensitive data.

Because of the potential for unauthorized data access and modification, this vulnerability could negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data.

Mitigating this risk by upgrading to fixed versions is essential to maintain compliance and protect sensitive information.

Executive Summary

CVE-2026-14891 is a vulnerability in HashiCorp Nomad and Nomad Enterprise's Docker task driver that allows a sandbox escape. Specifically, a job submitter can bind-mount a host path into a container even when volume bind mounts are disabled. This happens because the containment check does not fully consider symbolic links, allowing the mount to resolve outside the intended allocation directory.

Exploitation requires submitting a Docker-driver job, which means the attacker must be an authenticated job submitter if ACLs are enabled, or any API client if ACLs are disabled.

This vulnerability enables unauthorized reading and writing of files on the host system.

Impact Analysis

This vulnerability can lead to unauthorized access to the host system's files by allowing an attacker to read and write files outside the container environment.

Such unauthorized file access can compromise the integrity and confidentiality of the host system, potentially leading to data breaches, system manipulation, or further exploitation.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-14891 in HashiCorp Nomad and Nomad Enterprise, customers are advised to upgrade to fixed versions.

  • Upgrade Nomad Community Edition to version 2.0.4 or later.
  • Upgrade Nomad Enterprise to versions 2.0.4, 1.11.8, or 1.10.14 or later.
Detection Guidance

Detection of this vulnerability involves verifying if your HashiCorp Nomad or Nomad Enterprise installation is running a vulnerable version prior to the fixed releases (Nomad Community Edition before 2.0.4 and Nomad Enterprise before 2.0.4, 1.11.8, or 1.10.14).

Since exploitation requires submitting a Docker-driver job, monitoring job submissions for unexpected or unauthorized bind mounts, especially those that resolve outside the allocation directory via symbolic links, can help detect attempts to exploit this vulnerability.

No specific detection commands are provided in the available resources. However, general commands to check the Nomad version and inspect running jobs could include:

  • Check Nomad version: nomad version
  • List running jobs: nomad job status
  • Inspect job specifications for Docker tasks with bind mounts that might bypass restrictions.

For network detection, monitoring API calls that submit Docker-driver jobs or unusual volume mount requests could be useful, but no explicit commands or tools are detailed in the provided information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart