HashiCorp Nomad Vulnerability Allows Privilege Escalation via ACL Policy Lookup Exploit


A significant security vulnerability in HashiCorp Nomad workload orchestrator that allows attackers to escalate privileges by exploiting the Access Control List (ACL) policy lookup mechanism. The vulnerability, tracked as CVE-2025-4922, affects both Community and Enterprise editions of Nomad across multiple versions and poses a serious risk to organizations relying on the platform’s security controls. The flaw stems from incorrect prefix-based ACL policy lookups that can lead to unintended policy rule shadowing, enabling malicious actors to inherit privileged access by strategically naming new jobs with prefixed identifiers that match existing high-privilege workloads.

Read More


thumb-image

Solutions