CVE-2026-14891 in Nomadinfo

Summary

by MITRE • 07/08/2026

HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability, CVE-2026-14891, is fixed in Nomad Community Edition 2.0.4 and Nomad Enterprise 2.0.4, 1.11.8, and 1.10.14.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability described in CVE-2026-14891 represents a critical sandbox escape flaw within HashiCorp Nomad's Docker task driver implementation that fundamentally undermines container isolation principles. This security weakness affects both Nomad Community Edition and Enterprise variants, creating a significant risk for organizations relying on containerized workloads. The vulnerability stems from improper validation of volume mount configurations within the Docker driver, allowing malicious job submitters to circumvent intended security controls that should prevent host path binding operations.

The technical exploitation of this flaw occurs through manipulation of the Docker task driver's volume configuration handling. When volume bind mounts are explicitly disabled through configuration settings, the system should enforce strict isolation between containerized processes and the underlying host filesystem. However, the vulnerability enables attackers to bypass these restrictions by crafting specific job definitions that trigger a path traversal condition in the Docker driver logic. This allows unauthorized container processes to access host directories through bind mount operations that should have been prohibited.

The operational impact of this vulnerability extends beyond simple privilege escalation, potentially enabling full host compromise scenarios. An attacker who can submit jobs to a Nomad cluster could leverage this flaw to read sensitive files from the host system such as configuration data, credentials, or application data. Additionally, write access to host filesystems could enable attackers to modify critical system components, install persistent backdoors, or disrupt normal operations. The severity increases significantly in environments where Nomad clusters are shared across multiple tenants or where job submitters have varying levels of trust within the organization.

This vulnerability aligns with CWE-276, which addresses improper privileges and access control issues, and demonstrates characteristics consistent with attack patterns documented in the MITRE ATT&CK framework under T1059 for command and scripting interpreter and T1078 for valid accounts. The flaw represents a container escape condition that violates fundamental security assumptions about container isolation, potentially enabling lateral movement within compromised environments and providing attackers with additional footholds for extended operations.

Organizations should immediately implement the recommended patches across all affected Nomad installations, prioritizing deployment of versions 2.0.4 for Community Edition and Enterprise editions 2.0.4, 1.11.8, and 1.10.14. Security teams should conduct thorough assessments of existing job configurations to identify any potentially compromised workloads and implement additional monitoring controls around Docker volume mount operations. Network segmentation and privilege separation measures can provide additional defense-in-depth layers while waiting for full patch deployment, particularly in environments where immediate updates are not feasible due to operational constraints or testing requirements.

Responsible

HashiCorp

Reservation

07/06/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!