CVE-2026-2808: Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication

March 12, 2026 (updated March 24, 2026)

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

References

discuss.hashicorp.com/t/hcsec-2026-02-consul-vulnerable-to-arbitrary-file-reads-through-the-vault-kubernetes-authentication-provider/77232
github.com/advisories/GHSA-cpfq-66p2-336j
github.com/hashicorp/consul
nvd.nist.gov/vuln/detail/CVE-2026-2808
pkg.go.dev/vuln/GO-2026-4690

Code Behaviors & Features

Detect and mitigate CVE-2026-2808 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →