CVE-2025-4922 — Incorrect Privilege Assignment in Nomad

CWE-266 — Incorrect Privilege Assignment6 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 75.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedJun 11

Latest updateJul 28

Description

Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.4.0 — 1.10.2

▶CVEListV5hashicorp/nomad1.4.0 — 1.10.2

▶NVDhashicorp/nomad1.4.0 — 1.8.14+3

▶Gogithub.com/hashicorp_nomad< 1.10.2

🔴Vulnerability Details

OSV

Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad↗2025-07-28

▶

OSV

CVE-2025-4922: Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing↗2025-06-11

▶

OSV

Hashicorp Nomad Incorrect Privilege Assignment vulnerability↗2025-06-11

▶

CVEList

Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job↗2025-06-11

▶

GHSA

Hashicorp Nomad Incorrect Privilege Assignment vulnerability↗2025-06-11

▶