HashiCorp has revealed a critical vulnerability in its Nomad tool that may let attackers gain higher privileges by misusing the Access Control List (ACL) policy lookup. Identified as CVE-2025-4922, this vulnerability has a CVSS score of 8.1, indicating significant risk for organizations using affected Nomad versions.
“Nomad prefix-based ACL policy lookup can lead to incorrect rule application and shadowing,” HashiCorp warned in its security advisory.
By infosecbulletin
/ Sunday , July 12 2026
Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
By infosecbulletin
/ Sunday , July 12 2026
Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
By infosecbulletin
/ Sunday , July 12 2026
A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
By infosecbulletin
/ Saturday , July 11 2026
CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
By infosecbulletin
/ Friday , July 10 2026
Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
By infosecbulletin
/ Friday , July 10 2026
A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
By infosecbulletin
/ Thursday , July 9 2026
A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
By infosecbulletin
/ Wednesday , July 8 2026
CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
By infosecbulletin
/ Wednesday , July 8 2026
A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
By infosecbulletin
/ Wednesday , July 8 2026
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
Nomad has an optional ACL system that controls access to jobs, data, and APIs. It’s capability-based, where users receive permissions through tokens linked to specific policies. The issue arises from Nomad’s method of matching jobs to ACL policies using prefix-based lookups.
This lookup method can be easily manipulated to implement incorrect policies by utilizing job names that share identical prefixes. For instance, a privileged job labeled test-job could inadvertently pass its policies to a less privileged job called test-job-2, resulting from the way the prefix matching operates.
“An attacker with the proper access could create a new job with a prefixed name… to inherit the same ACL policies as an already existing job,” the advisory explained. “This could allow running privileged jobs without explicitly configuring a new policy.”
The vulnerability affects both Nomad Community Edition and Nomad Enterprise, specifically:
Nomad Community from version 1.4.0 to 1.10.1
Nomad Enterprise from version 1.4.0 to 1.10.1, 1.9.9, and 1.8.13
The issue has been resolved in the following patched releases:
Community: 1.10.2
Enterprise: 1.10.2, 1.9.10, and 1.8.14
HashiCorp strongly advises users to upgrade to the fixed versions immediately.