CVE-2026-2808

Source
https://cve.org/CVERecord?id=CVE-2026-2808
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2808.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2808
Aliases
Downstream
Related
Published
2026-03-11T23:08:32.414Z
Modified
2026-07-15T01:49:17.780087522Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider
Details

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

Database specific
{
    "cwe_ids": [
        "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2808.json",
    "cna_assigner": "HashiCorp"
}
References

Affected packages

Git / github.com/hashicorp/consul

Affected ranges

Type
GIT
Repo
https://github.com/hashicorp/consul
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.22.5"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

api/v1.*
api/v1.0.0
api/v1.0.1
api/v1.1.0
api/v1.10.0
api/v1.2.0
api/v1.32.1
api/v1.33.0-rc2
api/v1.33.1
api/v1.4.0
envoyextensions/v0.*
envoyextensions/v0.9.1
internal/v0.*
internal/v0.1.0
Other
list
proto-public/v0.*
proto-public/v0.1.0
proto-public/v0.1.1
proto-public/v0.7.0
proto-public/v0.7.1
sdk/v0.*
sdk/v0.1.0
sdk/v0.1.1
sdk/v0.17.0
sdk/v0.17.0-rc1
sdk/v0.17.1
sdk/v0.17.2
sdk/v0.2.0
sdk/v0.4.0
troubleshoot/v0.*
troubleshoot/v0.8.1
v0.*
v0.1.0
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.5.0
v0.5.0rc1
v0.5.1
v0.5.2
v0.6.0
v0.6.0-rc1
v0.6.0-rc2
v0.6.1
v0.6.3
v0.6.4
v0.6.4-rc3
v0.7.0
v0.7.0-rc1
v0.7.0-rc2
v0.7.1
v0.7.2
v0.7.2-rc1
v0.7.3
v0.7.4
v0.8.0
v0.8.0-rc1
v0.8.1
v0.8.2
v0.8.4
v0.8.5
v0.9.0
v0.9.0-rc1
v0.9.1
v0.9.2
v0.9.3
v0.9.3-rc1
v0.9.3-rc2
v1.*
v1.0.0
v1.0.0-beta1
v1.0.0-beta2
v1.0.1
v1.0.1-rc1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.4.0
v1.4.0-rc1
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.7.0
v1.7.0-beta1
v1.7.0-beta2
v1.7.0-beta3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2808.json"