Nomad 2.0.4/1.11.8/1.10.14: CrossNS Auth Bypass in Host Volumes
CVE-2026-14896 Published on July 8, 2026

Nomad vulnerable to cross-namespace host volume claim deletion
HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

NVD

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-14896 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-14896

Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.

 

Affected Versions

HashiCorp Nomad: HashiCorp Nomad Enterprise: