CVE-2026-7776

Source
https://cve.org/CVERecord?id=CVE-2026-7776
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7776.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7776
Aliases
Published
2026-05-04T21:34:10.975Z
Modified
2026-07-08T08:12:41.302583283Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Boundary Workers Vulnerable to Denial of Service During TLS Handshake
Details

Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7776.json",
    "cna_assigner": "HashiCorp",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/hashicorp/boundary

Affected ranges

Type
GIT
Repo
https://github.com/hashicorp/boundary
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.9.0"
        },
        {
            "fixed": "0.21.3"
        }
    ]
}

Affected versions

api/v0.*
api/v0.0.26
api/v0.0.27
api/v0.0.28
api/v0.0.29
api/v0.0.33
api/v0.0.35
api/v0.0.36
api/v0.0.37
api/v0.0.38
api/v0.0.39
api/v0.0.40
api/v0.0.41
api/v0.0.43
api/v0.0.44
api/v0.0.45
api/v0.0.50
api/v0.0.52
api/v0.0.53
api/v0.0.56
api/v0.0.57
api/v0.0.58
api/v0.0.59
api/v0.0.60
sdk/v0.*
sdk/v0.0.17
sdk/v0.0.18
sdk/v0.0.19
sdk/v0.0.20
sdk/v0.0.21
sdk/v0.0.22
sdk/v0.0.24
sdk/v0.0.27
sdk/v0.0.28
sdk/v0.0.29
sdk/v0.0.31
sdk/v0.0.32
sdk/v0.0.33
sdk/v0.0.34
sdk/v0.0.35
sdk/v0.0.36
sdk/v0.0.37
sdk/v0.0.39
sdk/v0.0.40
sdk/v0.0.41
sdk/v0.0.42
sdk/v0.0.48
sdk/v0.0.49
sdk/v0.0.51
sdk/v0.0.53
sdk/v0.0.54
sdk/v0.0.55
sdk/v0.0.56
sdk/v0.0.57
v0.*
v0.10.0
v0.13.0
v0.15.0
v0.17.0
v0.18.0
v0.21.0
v0.21.1
v0.21.2
v0.9.0
v0.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7776.json"