Nomad ACL Prefix Shadowing CVE-2025-4922 – Fixed 1.10.2
CVE-2025-4922 Published on June 11, 2025
Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job
Nomad Community and Nomad Enterprise (Nomad) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
Weakness Type
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2025-4922
Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.
Affected Versions
HashiCorp Nomad:- Version 1.4.0 and below 1.10.2 is affected.
- Version 1.4.0 and below 1.10.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.