HashiCorp Nomad
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in HashiCorp Nomad.
By the Year
In 2026 there have been 0 vulnerabilities in HashiCorp Nomad. Last year, in 2025 Nomad had 4 security vulnerabilities published. Right now, Nomad is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 4 | 7.60 |
| 2024 | 5 | 7.50 |
| 2023 | 7 | 6.03 |
| 2022 | 9 | 6.40 |
| 2021 | 5 | 7.62 |
| 2020 | 5 | 7.80 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Nomad vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent HashiCorp Nomad Security Vulnerabilities
Nomad ACL Prefix Shadowing CVE-2025-4922 – Fixed 1.10.2
CVE-2025-4922
- June 11, 2025
Nomad Community and Nomad Enterprise (Nomad) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
Nomad Enterprise Bypasses Sentinel Policies via Policy Override (before 1.10.1)
CVE-2025-3744
7.6 - High
- May 13, 2025
Nomad Enterprise (Nomad) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13.
Nomad unintentional token exposure in audit logs (fixed in 1.9.7)
CVE-2025-1296
- March 10, 2025
Nomad Community and Nomad Enterprise (Nomad) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
Nomad ACL Bypass via Wildcard Namespace in Event Stream
CVE-2025-0937
- February 12, 2025
Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.
HashiCorp Nomad Privilege Escalation via Unredacted Workload Identity Tokens
CVE-2024-12678
- December 20, 2024
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
Nomad 1.9.2: Arbitrary Cross-Namespace Volume Creation
CVE-2024-10975
- November 07, 2024
Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.
Nomad 0.6.11.8.2 Crash Directory Traversal CVE20247625
CVE-2024-7625
- August 15, 2024
In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.
Nomad Archive Unpack Path Escaping CVE-2024-6717 (Alloc Dir)
CVE-2024-6717
- July 23, 2024
HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.
Nomad Renderer Arbitrary File Write via Symlink (CVE-2024-1329)
CVE-2024-1329
7.5 - High
- February 08, 2024
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14.
Externally Controlled Reference to a Resource in Another Sphere
Nomad ACL Policy Block Label Vulnerability 0.7.01.5.6, 1.4.10 (fixed 1.6.0)
CVE-2023-3072
3.8 - Low
- July 20, 2023
HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
AuthZ
HashiCorp Nomad ACL Label Omission Unexpected Result (1.5.6)
CVE-2023-3299
2.7 - Low
- July 20, 2023
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
Exposure of Resource to Wrong Sphere
Nomad HTTP API CSIP Discovery Unauthenticated (1.5.6)
CVE-2023-3300
5.3 - Medium
- July 20, 2023
HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1.
AuthZ
HashiCorp Nomad 1.5.2 Unauth ACL Bypass without mTLS
CVE-2023-1782
9.8 - Critical
- April 05, 2023
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
AuthZ
Nomad 1.4.01.5.0 Deny Policy Bypass in Workload Vars Fixed in 1.4.6/1.5.1
CVE-2023-1296
5.3 - Medium
- March 14, 2023
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workloads variables. Fixed in 1.4.6 and 1.5.1.
AuthZ
Nomad 1.5.0 Priv Escal via Workload ID API (Fixed 1.5.1)
CVE-2023-1299
8.8 - High
- March 14, 2023
HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.
Nomad Disk DoS via Compressed Artifact 1.3.8, 1.4.3
CVE-2023-0821
6.5 - Medium
- February 16, 2023
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.
Unintended Env Leaks in Nomad Template (0.5.0-0.9.4)
CVE-2019-14802
5.3 - Medium
- December 26, 2022
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.
Nomad 1.4.0-1.4.1 Workload Token Enables Cross-Job Metadata Enumeration
CVE-2022-3866
4.3 - Medium
- November 10, 2022
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.
Exposure of Resource to Wrong Sphere
Token TTL delay in Nomad 1.4.01.4.1 Event Stream (Fixed 1.4.2)
CVE-2022-3867
4.3 - Medium
- November 10, 2022
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
Insufficient Session Expiration
Nomad Crash via Invalid S3/GCS Artifact URLs before 1.2.13
CVE-2022-41606
6.5 - Medium
- October 12, 2022
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host
CVE-2022-30324
9.8 - Critical
- June 02, 2022
HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5
CVE-2022-24685
7.5 - High
- February 28, 2022
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
Allocation of Resources Without Limits or Throttling
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5
CVE-2022-24683
7.5 - High
- February 17, 2022
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5
CVE-2022-24684
6.5 - Medium
- February 15, 2022
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such
CVE-2022-24686
5.9 - Medium
- February 14, 2022
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6
Race Condition
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled
CVE-2021-43415
8.8 - High
- December 03, 2021
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5
CVE-2021-41865
6.5 - Medium
- October 07, 2021
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.
HashiCorp Nomad and Nomad Enterprise Raft RPC layer
CVE-2021-37218
8.8 - High
- September 07, 2021
HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4.
Improper Certificate Validation
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode
CVE-2021-32575
6.5 - Medium
- June 17, 2021
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers
CVE-2021-3283
7.5 - High
- February 01, 2021
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type
CVE-2020-28348
6.5 - Medium
- November 24, 2020
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
Directory traversal
HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature
CVE-2020-27195
9.1 - Critical
- October 22, 2020
HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6
HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such
CVE-2020-10944
- April 28, 2020
HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5.
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services
CVE-2020-7218
- January 31, 2020
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC
CVE-2020-7956
- January 31, 2020
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.
HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control
CVE-2019-12618
- August 12, 2019
HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for HashiCorp Nomad or by HashiCorp? Click the Watch button to subscribe.
