HashiCorp Terraform Enterprise
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in HashiCorp Terraform Enterprise.
By the Year
In 2026 there have been 1 vulnerability in HashiCorp Terraform Enterprise with an average score of 7.7 out of ten. Last year, in 2025 Terraform Enterprise had 1 security vulnerability published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.40.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.70 |
| 2025 | 1 | 4.30 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.70 |
| 2022 | 1 | 7.50 |
| 2021 | 2 | 7.65 |
It may take a day or so for new Terraform Enterprise vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent HashiCorp Terraform Enterprise Security Vulnerabilities
Terraform Enterprise VCS Module Ingestion Path Traversal (CVE-2026-14468)
CVE-2026-14468
7.7 - High
- July 06, 2026
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Directory traversal
Terraform Enterprise state version privilege escalation (pre-1.1.1)
CVE-2025-13432
4.3 - Medium
- November 21, 2025
Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.
AuthZ
Terraform Enterprise: Improper Auth of Agent Pools
CVE-2023-3114
7.7 - High
- June 22, 2023
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.
AuthZ
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner
CVE-2022-25374
7.5 - High
- February 25, 2022
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.
Insertion of Sensitive Information into Log File
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint
CVE-2021-40862
8.8 - High
- September 15, 2021
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.
Information Disclosure
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting
CVE-2021-3153
6.5 - Medium
- March 26, 2021
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for HashiCorp Terraform Enterprise or by HashiCorp? Click the Watch button to subscribe.