GHSA-wqwc-x3rc-2xw6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wqwc-x3rc-2xw6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wqwc-x3rc-2xw6/GHSA-wqwc-x3rc-2xw6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wqwc-x3rc-2xw6
- Aliases
-
- CVE-2026-8052
- Published
- 2026-05-12T21:31:35Z
- Modified
- 2026-05-19T15:47:20.468458414Z
- Severity
-
- 6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack
- Details
-
HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.
- Database specific
{ "cwe_ids": [ "CWE-59" ], "github_reviewed": true, "nvd_published_at": "2026-05-12T20:16:46Z", "github_reviewed_at": "2026-05-19T15:39:35Z", "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-8052
- https://discuss.hashicorp.com/t/hcsec-2026-13-nomads-exec2-task-driver-vulnerable-to-arbitrary-file-read-write-on-client-host-through-symlink-attack/77415
- https://github.com/hashicorp/nomad-driver-exec2
- https://github.com/hashicorp/nomad-driver-exec2/releases/tag/v0.1.2
Affected packages
Go / github.com/hashicorp/nomad-driver-exec2
Package
- Name
- github.com/hashicorp/nomad-driver-exec2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/hashicorp/nomad-driver-exec2