A significant security vulnerability in HashiCorp Nomad workload orchestrator that allows attackers to escalate privileges by exploiting the Access Control List (ACL) policy lookup mechanism. The vulnerability, tracked as CVE-2025-4922, affects both Community and Enterprise editions of Nomad across multiple versions and poses a serious risk to organizations relying on the platform’s security controls. The flaw stems from incorrect prefix-based ACL policy lookups that can lead to unintended policy rule shadowing, enabling malicious actors to inherit privileged access by strategically naming new jobs with prefixed identifiers that match existing high-privilege workloads.

‍