HashiCorp Nomad: allow_privileged Not Enforced (pre 2.0.4/1.11.8/1.10.14)
CVE-2026-14373 Published on July 8, 2026
Nomad Docker driver Linux host namespace bypass
HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-14373 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-14373
Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.
Affected Versions
HashiCorp Nomad:- Version 0.4.1 and below 2.0.4 is affected.
- Version 0.4.1 and below 2.0.4 is affected.