HashiCorp Boundary

DoS in Boundary Workers TLS Handshake (fixed 0.21.3, 0.20.3, 0.19.5)
CVE-2026-7776 7.5 - High - May 04, 2026

Boundary Community Edition and Boundary Enterprise (Boundary) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.

Allocation of Resources Without Limits or Throttling

Boundary Controller Initialization HTTP Request Handling Denial of Service Vulnerability
CVE-2024-12289 - December 12, 2024

Boundary Community Edition and Boundary Enterprise (Boundary) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.

Boundary TLS Cert Tampering Enables Session Hijacking (CVE-2024-1052)
CVE-2024-1052 8 - High - February 05, 2024

Boundary and Boundary Enterprise (Boundary) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Improper Certificate Validation

HashiCorp Boundary 0.10-0.11.2 PKI KMS Encryption Bypass
CVE-2023-0690 7.1 - High - February 08, 2023

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI workers disk. This issue is fixed in version 0.12.0.

Missing Encryption of Sensitive Data

Hashicorp Boundary v0.8.0 Clickjacking: Cred Intercept & Malicious Redirect
CVE-2022-36182 6.1 - Medium - October 27, 2022

Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.

Clickjacking

HashiCorp Boundary 0.10.1 Privilege Escalation via Scope Mismatch (Fixed 0.10.2)
CVE-2022-36130 9.9 - Critical - September 01, 2022

HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2.

Insufficient Verification of Data Authenticity