cbcvebase.
CVE-2025-1296
published 2025-03-10

CVE-2025-1296: Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs…

PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.45%
35.8th percentile
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

Affected

7 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_nomad>= 0 < 1.9.71.9.7
github.comhashicorp_nomad0 – 1.9.6
hashicorpnomad>= 1.0.0 < 1.7.191.7.19
hashicorpnomad>= 1.0.0 < 1.9.71.9.7
hashicorpnomad>= 1.8.0 < 1.8.111.8.11
hashicorpnomad>= 1.9.0 < 1.9.71.9.7
hashicorpnomad_enterprise>= 1.0.0 < 1.9.71.9.7

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.