CVE-2026-7474
published 2026-05-12CVE-2026-7474: HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.89%
93.3th percentile
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_nomad | >= 0 < 1.11.0-rc.1.0.20260511152149-cd7240c4099a | 1.11.0-rc.1.0.20260511152149-cd7240c4099a |
| hashicorp | nomad | >= 1.10.0 < 2.0.1 | 2.0.1 |
| hashicorp | nomad_enterprise | >= 1.10.0 < 2.0.1 | 2.0.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hx53-77qj-8663: HashiCorp Nomad and Nomad Enterprise prior to 2
ghsa_unreviewed·2026-05-12·CVSS 8.8
CVE-2026-7474 [HIGH] CWE-22 GHSA-hx53-77qj-8663: HashiCorp Nomad and Nomad Enterprise prior to 2
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
VulDB
HashiCorp Nomad/Nomad Enterprise up to 2.0.0 path traversal
vuldb·2026-05-12
CVE-2026-7474 [CRITICAL] HashiCorp Nomad/Nomad Enterprise up to 2.0.0 path traversal
A vulnerability marked as critical has been reported in HashiCorp Nomad and Nomad Enterprise up to 2.0.0. Affected by this issue is some unknown functionality. The manipulation leads to path traversal.
This vulnerability is listed as CVE-2026-7474. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
HashiCorp Nomad vulnerable to a path traversal
ghsa·2026-05-12·CVSS 8.8
CVE-2026-7474 [HIGH] CWE-22 HashiCorp Nomad vulnerable to a path traversal
HashiCorp Nomad vulnerable to a path traversal
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-12
Published