HashiCorp Nomad: allow_privileged Not Enforced (pre 2.0.4/1.11.8/1.10.14)
CVE-2026-14373 Published on July 8, 2026

Nomad Docker driver Linux host namespace bypass
HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

NVD

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-14373 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-14373

Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.

 

Affected Versions

HashiCorp Nomad: HashiCorp Nomad Enterprise: