CVE-2026-2808 — Link Following in Consul

CWE-59 — Link Following8 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.0%

top 93.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Consul Hashicorp Consul Enterprise Github.com Hashicorp Consul +1 more

Timeline

PublishedMar 12

Latest updateMar 16

Description

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages4 packages

▶CVEListV5hashicorp/consul_enterprise< 1.22.5

▶CVEListV5hashicorp/consul< 1.22.5

▶Gogithub.com/hashicorp_consul1.22.0-rc1 — 1.22.5+3

▶debiandebian/consul

🔴Vulnerability Details

OSV

Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication in github.com/hashicorp/consul↗2026-03-16

▶

OSV

CVE-2026-2808: HashiCorp Consul and Consul Enterprise 1↗2026-03-12

▶

GHSA

Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication↗2026-03-12

▶

OSV

Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication↗2026-03-12

▶

📋Vendor Advisories

Red Hat

github.com/hashicorp/consul: HashiCorp Consul: Arbitrary file read via Kubernetes authentication configuration↗2026-03-11

▶

Debian

CVE-2026-2808: consul - HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vuln...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2808 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶