CVE-2026-6959 — HashiCorp Nomad vulnerable to symlink attack

Description

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

How to fix CVE-2026-6959

To remediate CVE-2026-6959, upgrade the affected package to a fixed version below.

—upgrade to 1.11.0-rc.1.0.20260512123500-2a09fd62c238 or later

Is CVE-2026-6959 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.11.0-rc.1.0.20260512123500-2a09fd62c238

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.0	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6959
PATCHgithub.com/hashicorp/nomad
WEBdiscuss.hashicorp.com/t/hcsec-2026-14-nomad-arbitrary-file-read-write-on-client-host-through-symlink-attack/77416
WEBgithub.com/hashicorp/nomad/commit/2a09fd62c23880ff306499ae03fe64628d82a23f