CVE-2026-14468
HashiCorp · Terraform Enterprise
A path traversal vulnerability in HashiCorp Terraform Enterprise during VCS registry module ingestion allows for unauthorized file reads.
Executive summary
A high-severity path traversal vulnerability in HashiCorp Terraform Enterprise allows authenticated users to read arbitrary files from the server.
Vulnerability
This is an Improper Limitation of a Pathname to a Restricted Directory (CWE-22) issue within the Version Control System (VCS) ingestion process. An authenticated attacker can manipulate module content to read sensitive files outside of the intended directory boundaries.
Business impact
With a CVSS score of 7.7, this vulnerability poses a critical risk to data confidentiality. Unauthorized access to arbitrary files can lead to the exposure of sensitive configuration data, credentials, or environment variables, potentially facilitating further lateral movement or full system compromise within the Terraform Enterprise environment.
Remediation
Immediate Action: Update Terraform Enterprise to the latest version (2.0.4 or higher) where the path validation logic has been corrected.
Proactive Monitoring: Audit access logs for unusual file read operations and monitor the VCS ingestion pipeline for malformed or suspicious module packages.
Compensating Controls: Restrict access to the VCS ingestion functionality to trusted users only and ensure the application runs with the principle of least privilege regarding file system permissions.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability to read arbitrary files presents a severe risk in enterprise environments. Organizations should prioritize patching their Terraform Enterprise instances and conduct a thorough review of environment logs to ensure no unauthorized file access has occurred.