HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal
HashiCorp Nomad and Nomad Enterprise versions prior to 2.0.1 are vulnerable to remote code execution on the client host, according to the National Vulnerability Database. This critical flaw, identified as CVE-2026-7474, stems from a path traversal attack vector.
Attackers can leverage this vulnerability to execute arbitrary code on client hosts, achieving significant impact given Nomad’s role in orchestrating containerized workloads. The National Vulnerability Database assigns it a CVSS score of 8.8 (High), reflecting the serious compromise potential.
HashiCorp has addressed this vulnerability in Nomad versions 2.0.1, 1.11.5, and 1.10.11. Defenders must prioritize patching to these versions immediately to mitigate the risk of hostile code execution within their orchestration environments.
What This Means For You
- If your organization uses HashiCorp Nomad or Nomad Enterprise, you are exposed to remote code execution. Immediately verify your Nomad client and server versions. Patch to Nomad 2.0.1, 1.11.5, or 1.10.11 without delay to prevent attackers from exploiting CVE-2026-7474.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7474 HashiCorp Nomad Path Traversal to Code Execution
title: CVE-2026-7474 HashiCorp Nomad Path Traversal to Code Execution
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7474 by looking for the Nomad executable being spawned with command line arguments containing path traversal sequences ('../'). This indicates a potential attempt to write malicious files to arbitrary locations on the client host, leading to code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7474/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Program Files\Nomad
omad.exe'
- '/usr/local/bin/nomad'
CommandLine|contains:
- '../'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7474 | RCE | HashiCorp Nomad and Nomad Enterprise < 2.0.1 |
| CVE-2026-7474 | Path Traversal | HashiCorp Nomad and Nomad Enterprise < 2.0.1 |
| CVE-2026-7474 | RCE | HashiCorp Nomad and Nomad Enterprise versions prior to 1.11.5 |
| CVE-2026-7474 | RCE | HashiCorp Nomad and Nomad Enterprise versions prior to 1.10.11 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access
CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...
ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases
CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...
CVE-2026-42889: Relay Obsidian Server Authentication Bypass Critical
CVE-2026-42889 — Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication...