CVE-2026-14468 in Terraform Enterprise
Summary
by MITRE • 07/06/2026
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability identified as CVE-2026-14468 represents a critical path traversal flaw within HashiCorp Terraform Enterprise's version control system ingestion mechanism for registry modules. This issue stems from inadequate boundary enforcement during the processing of packaged module content, creating an exploitable condition where authenticated users can manipulate the module ingestion process to include files outside the intended repository scope. The technical implementation fails to properly validate or sanitize file paths during the extraction and processing of module archives, allowing malicious actors to craft module packages that contain references to files located in parent directories or other restricted locations within the system's filesystem hierarchy.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it provides a potential vector for information disclosure attacks that could expose sensitive data readable by the ingestion process. Attackers with authenticated access can leverage this flaw to retrieve configuration files, credential stores, environment variables, or other potentially sensitive artifacts that should remain isolated within their intended repository boundaries. This represents a significant security risk in environments where Terraform Enterprise manages critical infrastructure configurations and where module repositories might contain proprietary or confidential information.
The vulnerability manifests specifically during the registry module ingestion process where Terraform Enterprise validates and processes module packages submitted by users. When modules are processed, the system should maintain strict boundaries around the intended content to prevent arbitrary file inclusion from external sources. However, the flaw allows for path traversal techniques to bypass these security controls, enabling attackers to reference files outside the module's intended scope through carefully crafted archive contents or symbolic links within the package structure.
This issue aligns with common software security weaknesses catalogued under CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery concepts, though specifically manifests in a repository context rather than web application traversal. The ATT&CK framework would categorize this vulnerability under TA0007 Discovery and T1083 File and Directory Discovery techniques, as attackers could use this to map the filesystem structure and identify sensitive files accessible through the ingestion process. The authentication requirement for exploitation reduces the attack surface but does not eliminate the risk, particularly in environments where privileged accounts might be compromised or where legitimate users have elevated access rights.
The fix implemented in Terraform Enterprise v2.0.4 and v1.2.4 addresses this vulnerability by strengthening the boundary enforcement mechanisms within the VCS ingestion system. These updates include enhanced path validation routines that properly sanitize file references during module package extraction, ensuring that all file paths are resolved within the intended repository boundaries. The security improvements also incorporate more robust archive processing controls that prevent symbolic link resolution outside of the designated content scope and implement stricter validation of directory structures within packaged modules.
Organizations utilizing Terraform Enterprise should immediately apply the patched versions to mitigate this vulnerability and should conduct thorough assessments of their module repositories to identify any potentially compromised packages that might have been processed before the fix was applied. Security teams should also implement monitoring controls to detect unusual file access patterns during module ingestion processes and establish regular audits of repository content to ensure proper boundary enforcement remains in place. The remediation process should include verifying that all module sources undergo proper validation and that automated systems do not bypass manual review processes for critical infrastructure modules.