PT-2026-56576 · Hashicorp · Nomad+1
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-14896
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L |
HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volume claim belonging to a job in another namespace. This vulnerability, CVE-2026-14896, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nomad
Nomad Enterprise