Github.Com Hashicorp Consul vulnerabilities

CVE-2026-2808 [MEDIUM] CWE-59 Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

CVE-2025-11375 [MEDIUM] CWE-770 Consul event endpoint is vulnerable to denial of service Consul event endpoint is vulnerable to denial of service Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

CVE-2025-11374 [MEDIUM] CWE-770 Consul key/value endpoint is vulnerable to denial of service Consul key/value endpoint is vulnerable to denial of service Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

CVE-2024-10005 [HIGH] CWE-22 Hashicorp Consul Path Traversal vulnerability Hashicorp Consul Path Traversal vulnerability A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

CVE-2024-10086 [MEDIUM] CWE-79 Hashicorp Consul Cross-site Scripting vulnerability Hashicorp Consul Cross-site Scripting vulnerability A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.

CVE-2024-10006 [MEDIUM] CWE-116 Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

CVE-2020-25201 [HIGH] CWE-400 Denial of service in HashiCorp Consul Denial of service in HashiCorp Consul HashiCorp Consul Enterprise versions 1.7.0 up to 1.7.8 and 1.8.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.

CVE-2020-28053 [MEDIUM] CWE-732 Privilege Escalation in HashiCorp Consul Privilege Escalation in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.

CVE-2023-3518 [HIGH] CWE-266 Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.

CVE-2019-12291 [HIGH] CWE-284 HashiCorp Consul Incorrect Access Control vulnerability HashiCorp Consul Incorrect Access Control vulnerability HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured. ### Specific Go Packages Affected github.com/hashicorp/consul/acl

CVE-2023-2816 [HIGH] CWE-266 Hashicorp Consul allows user with service:write permissions to patch remote proxy instances Hashicorp Consul allows user with service:write permissions to patch remote proxy instances Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding

CVE-2023-1297 [MEDIUM] CWE-826 Hashicorp Consul vulnerable to denial of service Hashicorp Consul vulnerable to denial of service Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

CVE-2023-0845 [MEDIUM] CWE-476 Consul Server Panic when Ingress and API Gateways Configured with Peering Connections Consul Server Panic when Ingress and API Gateways Configured with Peering Connections A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to

CVE-2022-3920 [HIGH] CWE-862 Missing Authorization in HashiCorp Consul Missing Authorization in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

CVE-2021-41803 [HIGH] CWE-862 HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

CVE-2022-40716 [MEDIUM] CWE-252 HashiCorp Consul vulnerable to authorization bypass HashiCorp Consul vulnerable to authorization bypass HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with

CVE-2020-25864 [MEDIUM] CWE-79 HashiCorp Consul Cross-site Scripting vulnerability HashiCorp Consul Cross-site Scripting vulnerability HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

CVE-2018-19653 [MEDIUM] HashiCorp Consul can use cleartext agent-to-agent RPC communication HashiCorp Consul can use cleartext agent-to-agent RPC communication HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the `verify_outgoing` setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.

CVE-2019-8336 [HIGH] CWE-284 HashiCorp Consul Access Restriction Bypass HashiCorp Consul Access Restriction Bypass HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "" as its secret is used in unusual circumstances.

CVE-2019-9764 [HIGH] CWE-346 HashiCorp Consul vulnerable to Origin Validation Error HashiCorp Consul vulnerable to Origin Validation Error HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if `verify_server_hostname` were set to false, even when it is actually set to true. This is fixed in 1.4.4.