Boundary HashiCorp Boundary

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in HashiCorp Boundary.

By the Year

In 2025 there have been 0 vulnerabilities in HashiCorp Boundary. Last year, in 2024 Boundary had 2 security vulnerabilities published. Right now, Boundary is on track to have less security vulnerabilities in 2025 than it did last year.

Year Vulnerabilities Average Score
2025 0 0.00
2024 2 8.00
2023 1 7.10
2022 2 8.00
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Boundary vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent HashiCorp Boundary Security Vulnerabilities

Boundary Controller Initialization HTTP Request Handling Denial of Service Vulnerability

CVE-2024-12289 - December 12, 2024

Boundary Community Edition and Boundary Enterprise (Boundary) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.

Boundary and Boundary Enterprise (Boundary) is vulnerable to session hijacking through TLS certificate tampering

CVE-2024-1052 8 - High - February 05, 2024

Boundary and Boundary Enterprise (Boundary) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Improper Certificate Validation

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted

CVE-2023-0690 7.1 - High - February 08, 2023

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI workers disk. This issue is fixed in version 0.12.0.

Missing Encryption of Sensitive Data

Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which

CVE-2022-36182 6.1 - Medium - October 27, 2022

Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.

Clickjacking

HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes

CVE-2022-36130 9.9 - Critical - September 01, 2022

HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2.

Insufficient Verification of Data Authenticity

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for HashiCorp Boundary or by HashiCorp? Click the Watch button to subscribe.

HashiCorp
Vendor

subscribe