Nomad Path Traversal CVE-2026-7474, Code Exec via Client Host, fixed in 2.0.1
CVE-2026-7474 Published on May 12, 2026
Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-7474 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-7474
Want to know whenever a new CVE is published for HashiCorp Nomad? stack.watch will email you.
Affected Versions
HashiCorp Nomad:- Version 1.10.0 and below 2.0.1 is affected.
- Version 1.10.0 and below 2.0.1 is affected.