Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
{
"cwe_ids": [
"CWE-532"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/1xxx/CVE-2025-1296.json",
"cna_assigner": "HashiCorp"
}{
"cpe": [
"cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*"
],
"extracted_events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.7.19"
},
{
"fixed": "1.9.7"
},
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.11"
},
{
"introduced": "1.9.0"
}
],
"source": "CPE_RANGE"
}