CVE-2026-14891
HashiCorp · Nomad
A sandbox escape vulnerability in the HashiCorp Nomad Docker task driver allows job submitters to bind-mount host paths, enabling unauthorized read/write access to the host filesystem.
Executive summary
A high-severity sandbox escape in the HashiCorp Nomad Docker task driver allows privileged users to bypass file access restrictions and compromise the host system.
Vulnerability
This vulnerability, identified as an improper link resolution issue, allows a job submitter to bind-mount a host path into a container even when such actions are disabled. The attacker must possess high-level privileges to submit jobs to the cluster.
Business impact
Successful exploitation allows an attacker to read or modify files on the host machine, effectively breaking the isolation layer between the container and the underlying infrastructure. With a CVSS score of 8.7, this vulnerability represents a severe threat to the security of containerized environments and the underlying host nodes.
Remediation
Immediate Action: Upgrade HashiCorp Nomad and Nomad Enterprise to version 2.0.4 or later immediately.
Proactive Monitoring: Review audit logs for unusual job submissions or attempts to access restricted host paths via the Docker task driver.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) to limit which users can submit jobs to the Nomad cluster, thereby reducing the attack surface.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for complete host compromise, upgrading to the patched version is the only effective mitigation. Security teams should treat this as an urgent infrastructure update to maintain the integrity of the Nomad cluster.