CVE-2026-8052: HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack

May 12, 2026 (updated May 19, 2026)

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.

References

discuss.hashicorp.com/t/hcsec-2026-13-nomads-exec2-task-driver-vulnerable-to-arbitrary-file-read-write-on-client-host-through-symlink-attack/77415
github.com/advisories/GHSA-wqwc-x3rc-2xw6
github.com/hashicorp/nomad-driver-exec2/releases/tag/v0.1.2
nvd.nist.gov/vuln/detail/CVE-2026-8052

Code Behaviors & Features

Detect and mitigate CVE-2026-8052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →