HashiCorp Terraform Enterprise
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in HashiCorp Terraform Enterprise.
By the Year
In 2026 there have been 0 vulnerabilities in HashiCorp Terraform Enterprise. Last year, in 2025 Terraform Enterprise had 1 security vulnerability published. Right now, Terraform Enterprise is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 4.30 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.70 |
| 2022 | 1 | 7.50 |
| 2021 | 2 | 7.65 |
It may take a day or so for new Terraform Enterprise vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent HashiCorp Terraform Enterprise Security Vulnerabilities
Terraform Enterprise state version privilege escalation (pre-1.1.1)
CVE-2025-13432
4.3 - Medium
- November 21, 2025
Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.
AuthZ
Terraform Enterprise: Improper Auth of Agent Pools
CVE-2023-3114
7.7 - High
- June 22, 2023
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.
AuthZ
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner
CVE-2022-25374
7.5 - High
- February 25, 2022
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.
Insertion of Sensitive Information into Log File
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint
CVE-2021-40862
8.8 - High
- September 15, 2021
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.
Information Disclosure
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting
CVE-2021-3153
6.5 - Medium
- March 26, 2021
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for HashiCorp Terraform Enterprise or by HashiCorp? Click the Watch button to subscribe.
