github.com/hashicorp/nomad (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/hashicorp/nomad, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (34)
CVE-2023-1782 — CVSS 9.9 (critical): HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for…
CVE-2020-7956 — CVSS 9.8 (critical): HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and…
CVE-2022-30324 — CVSS 9.8 (critical): HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation…
CVE-2020-27195 — CVSS 9.1 (critical): HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or…
CVE-2026-7474 — CVSS 8.8 (high): HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack…
CVE-2021-37218 — CVSS 8.8 (high): HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access…
CVE-2021-43415 — CVSS 8.8 (high): HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with…
CVE-2025-4922 — CVSS 8.1 (high): Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing…
CVE-2024-10975 — CVSS 7.7 (high): Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through…
CVE-2024-1329 — CVSS 7.7 (high): HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as…
CVE-2024-6717 — CVSS 7.7 (high): HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the…
CVE-2022-24685 — CVSS 7.5 (high): HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU…
CVE-2021-3283 — CVSS 7.5 (high): HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same…
CVE-2022-24683 — CVSS 7.5 (high): HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit)…
CVE-2020-7218 — CVSS 7.5 (high): HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to…
CVE-2023-1299 — CVSS 7.4 (high): HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and…
CVE-2020-28348 — CVSS 6.5 (medium): HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or…
CVE-2022-24684 — CVSS 6.5 (medium): HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread…
CVE-2022-41606 — CVSS 6.5 (medium): HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can…
CVE-2023-0821 — CVSS 6.5 (medium): HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause…
CVE-2024-12678 — CVSS 6.5 (medium): Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted…
CVE-2025-1296 — CVSS 6.5 (medium): Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client…
CVE-2021-32575 — CVSS 6.5 (medium): HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same…
CVE-2026-6959 — CVSS 6.0 (medium): HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process…
CVE-2022-24686 — CVSS 5.9 (medium): HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that…
CVE-2024-7625 — CVSS 5.8 (medium): In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes…
CVE-2023-3300 — CVSS 5.3 (medium): HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to…
CVE-2019-14802 — CVSS 5.3 (medium): HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template…
CVE-2022-3866 — CVSS 5.0 (medium): HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that…
CVE-2023-3072 — CVSS 4.1 (medium): HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results…
CVE-2023-3299 — CVSS 3.4 (low): HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in…
CVE-2022-3867 — CVSS 2.7 (low): HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage…
CVE-2023-1296 — CVSS 2.7 (low): HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed…