CVE-2026-14373 in Nomad
Summary
by MITRE • 07/08/2026
HashiCorp Nomad and Nomad Enterprise did not enforce the allow_privileged restriction for the Docker task driver's host namespace mode options. This may allow an authenticated job submitter to run a container in a host namespace and access information belonging to the host or to other workloads on the same client. This vulnerability, CVE-2026-14373, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability described in CVE-2026-14373 represents a critical security flaw in HashiCorp Nomad and Nomad Enterprise platforms that directly impacts containerized workload isolation within distributed computing environments. This issue affects the Docker task driver implementation where the system failed to properly enforce the allow_privileged restriction when operating in host namespace mode options, creating a significant attack vector for authenticated users who can submit jobs to the platform.
The technical flaw stems from inadequate enforcement of namespace isolation controls within Nomad's container orchestration framework. When jobs are submitted with host namespace mode configurations, the system should have prevented privileged operations that could grant containers access to the underlying host system or other workloads running on the same client node. However, this restriction was bypassed, allowing malicious or compromised users to escalate privileges beyond the intended security boundaries. The vulnerability specifically targets the Docker task driver component which is responsible for managing container execution environments and their associated security policies.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it fundamentally undermines the security isolation that containerized workloads are designed to provide. An authenticated job submitter could leverage this weakness to access host-level information, potentially extracting sensitive data from the operating system or other containers running on the same client node. This breach of isolation could lead to data exfiltration, lateral movement within the infrastructure, and compromise of additional workloads that share the same execution environment. The attack surface becomes particularly dangerous in multi-tenant environments where different organizations or teams rely on Nomad for workload orchestration.
Security professionals should note this vulnerability aligns with CWE-276, which addresses improper privileges, and relates to ATT&CK technique T1068, which involves exploiting elevated privileges through process injection. The fix implemented by HashiCorp in versions 2.0.4 for Community Edition and 2.0.4, 1.11.8, and 1.10.14 for Enterprise editions addresses the core enforcement mechanism that was previously bypassed. Organizations must ensure immediate deployment of these patched versions across all Nomad installations to prevent exploitation. Additionally, security teams should implement monitoring for unauthorized job submissions and conduct thorough audits of existing workloads to identify any potential compromise from this vulnerability.
The remediation process requires careful attention to version compatibility and deployment strategies since Nomad operates in distributed environments where multiple client nodes must be updated consistently. Organizations should also review their access control policies to ensure that only trusted users can submit jobs, implementing additional layers of authentication and authorization. Regular security assessments should include verification of namespace isolation controls and enforcement mechanisms to prevent similar vulnerabilities from emerging in other components of the orchestration platform.