CVE-2026-14468

HashiCorp · Terraform Enterprise

A path traversal vulnerability in HashiCorp Terraform Enterprise during VCS registry module ingestion allows for unauthorized file reads.

Executive summary

A high-severity path traversal vulnerability in HashiCorp Terraform Enterprise allows authenticated users to read arbitrary files from the server.

Vulnerability

This is an Improper Limitation of a Pathname to a Restricted Directory (CWE-22) issue within the Version Control System (VCS) ingestion process. An authenticated attacker can manipulate module content to read sensitive files outside of the intended directory boundaries.

Business impact

With a CVSS score of 7.7, this vulnerability poses a critical risk to data confidentiality. Unauthorized access to arbitrary files can lead to the exposure of sensitive configuration data, credentials, or environment variables, potentially facilitating further lateral movement or full system compromise within the Terraform Enterprise environment.

Remediation

Immediate Action: Update Terraform Enterprise to the latest version (2.0.4 or higher) where the path validation logic has been corrected.

Proactive Monitoring: Audit access logs for unusual file read operations and monitor the VCS ingestion pipeline for malformed or suspicious module packages.

Compensating Controls: Restrict access to the VCS ingestion functionality to trusted users only and ensure the application runs with the principle of least privilege regarding file system permissions.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability to read arbitrary files presents a severe risk in enterprise environments. Organizations should prioritize patching their Terraform Enterprise instances and conduct a thorough review of environment logs to ensure no unauthorized file access has occurred.