CVE-2026-14896

medium

Description

HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

References

https://discuss.hashicorp.com/t/hcsec-2026-22-nomad-vulnerable-to-cross-namespace-host-volume-claim-deletion/77562

Details

Source: Mitre, NVD

Published: 2026-07-08

Updated: 2026-07-08

Risk Information

CVSS v2

Base Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:P

Severity: Low

CVSS v3

Base Score: 4.2

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Severity: Medium