HashiCorp Nomad Vulnerability

A significant security vulnerability in HashiCorp Nomad workload orchestrator that allows attackers to escalate privileges by exploiting the Access Control List (ACL) policy lookup mechanism. 

The vulnerability, tracked as CVE-2025-4922, affects both Community and Enterprise editions of Nomad across multiple versions and poses a serious risk to organizations relying on the platform’s security controls. 

The flaw stems from incorrect prefix-based ACL policy lookups that can lead to unintended policy rule shadowing, enabling malicious actors to inherit privileged access by strategically naming new jobs with prefixed identifiers that match existing high-privilege workloads.

Overview of Nomad ACL Privilege Escalation

The core of this security flaw lies within Nomad’s ACL system implementation, specifically in how the platform performs policy lookups when associating jobs with their corresponding security policies

Nomad’s ACL system operates on a capability-based model where tokens are linked to policies that define fine-grained access rules and permissions. 

However, the vulnerable versions implement a prefix-based lookup mechanism that fails to properly validate policy associations, creating an opportunity for privilege escalation attacks.

google

The attack vector is particularly concerning due to its simplicity and potential for abuse. An attacker with basic job creation privileges can exploit this vulnerability by creating a new job with a strategically crafted name that serves as a prefix match for an existing high-privilege job. 

For instance, if a privileged job named “test-job” exists with elevated ACL policies, an attacker could create a new job named “test-job-2” and automatically inherit the same ACL policies without explicit authorization. 

This prefix-matching behavior bypasses the intended security controls and allows unauthorized access to sensitive operations that should require explicit policy configuration.

The technical implications of this vulnerability extend beyond simple privilege escalation. The incorrect policy lookup mechanism can result in policy rule shadowing, where legitimate security boundaries become ineffective due to unintended policy inheritance. 

This creates a scenario where the ACL system, designed to enforce strict access controls, becomes a vector for privilege escalation rather than a protective barrier. 

The vulnerability is particularly dangerous in multi-tenant environments where different teams or applications share the same Nomad cluster, as it could enable cross-tenant privilege escalation and unauthorized access to sensitive workloads.

Risk FactorsDetails
Affected Products– Nomad Community Edition 1.4.0 – 1.10.1 (fixed in 1.10.2)- Nomad Enterprise 1.4.0 – 1.10.1, 1.9.9, 1.8.13 (fixed in 1.10.2, 1.9.10, 1.8.14)
ImpactPrivilege escalation via ACL policy rule shadowing and incorrect policy inheritance
Exploit Prerequisites– Valid user account with job creation privileges- Existing job with ACL policy to prefix-match
CVSS 3.1 Score7.8 (High)

Affected Systems

The vulnerability affects a substantial range of Nomad deployments across both Community and Enterprise editions. 

Nomad Community Edition versions from 1.4.0 up to 1.10.1 are vulnerable, while Nomad Enterprise is affected from version 1.4.0 up to 1.10.1, with additional specific vulnerable versions including 1.9.9 and 1.8.13. 

This broad version range indicates that organizations running Nomad deployments installed or updated within the past several major release cycles are potentially at risk.

The security implications are particularly severe for organizations that rely heavily on Nomad’s ACL system for access control and privilege separation. 

In environments where different applications or teams share the same Nomad cluster, this vulnerability could enable lateral movement and unauthorized access to sensitive workloads. 

The ability to inherit ACL policies without proper authorization effectively breaks the security model that organizations depend upon for isolating workloads and controlling access to critical infrastructure components.

The potential for privilege escalation in these environments could lead to unauthorized access to sensitive data, configuration changes, or even complete cluster compromise, depending on the scope of inherited policies.

Mitigations

HashiCorp has addressed this vulnerability through coordinated releases across multiple Nomad versions, demonstrating the company’s commitment to maintaining security across supported product lines. 

The fixes are available in Nomad Community Edition 1.10.2 and Nomad Enterprise versions 1.10.2, 1.9.10, and 1.8.14. 

Organizations should prioritize upgrading to these patched versions immediately, particularly those operating in multi-tenant environments or handling sensitive workloads.

The remediation process should include a comprehensive security assessment of existing job configurations and ACL policies. 

Organizations should audit their current job naming conventions and policy assignments to identify any instances where the prefix-matching vulnerability may have been inadvertently exploited.

This review should encompass all active jobs and their associated ACL policies to ensure that no unauthorized privilege escalation has occurred prior to patching.

Additional security includes establishing strict job naming conventions that prevent potential prefix conflicts, implementing regular ACL policy audits, and considering the adoption of more granular access controls that limit job creation privileges to trusted users only.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

googlenews
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.