CVE-2026-7474 — HashiCorp Nomad vulnerable to a path traversal

Description

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

How to fix CVE-2026-7474

To remediate CVE-2026-7474, upgrade the affected package to a fixed version below.

Go/github.com/hashicorp/nomad—upgrade to 1.11.0-rc.1.0.20260511152149-cd7240c4099a or later

Is CVE-2026-7474 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.11.0-rc.1.0.20260511152149-cd7240c4099a

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-7474
PATCHgithub.com/hashicorp/nomad
WEBdiscuss.hashicorp.com/t/hcsec-2026-15-nomad-vulnerable-to-path-traversal-in-dynamic-host-volume-which-may-lead-to-code-execution/77417
WEBgithub.com/hashicorp/nomad/commit/cd7240c4099ad33eda279924fb3a9459b162d120