{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2808", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-02-19T15:17:24.550Z", "datePublished": "2026-03-11T23:08:32.414Z", "dateUpdated": "2026-04-17T17:57:55.646Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Consul", "repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "versions": [{"lessThan": "1.22.5", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Consul Enterprise", "repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.21.11", "status": "unaffected"}, {"at": "1.18.21", "status": "unaffected"}], "lessThan": "1.22.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "value": "This issue was identified by Defang Bo."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.</p><br/>"}], "value": "HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5."}], "impacts": [{"capecId": "CAPEC-23", "descriptions": [{"lang": "en", "value": "CAPEC-23: File Content Injection"}]}], "metrics": [{"cvssV3_1": {"baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.646Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-02-consul-vulnerable-to-arbitrary-file-reads-through-the-vault-kubernetes-authentication-provider/77232"}], "source": {"advisory": "HCSEC-2026-02", "discovery": "EXTERNAL"}, "title": "Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:28:18.993425Z", "id": "CVE-2026-2808", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:28:26.972Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:28:18.993425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:28:22.607Z"}}], "cna": {"title": "Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider", "source": {"advisory": "HCSEC-2026-02", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "This issue was identified by Defang Bo."}], "impacts": [{"capecId": "CAPEC-23", "descriptions": [{"lang": "en", "value": "CAPEC-23: File Content Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "product": "Consul", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.5", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "product": "Consul Enterprise", "versions": [{"status": "affected", "changes": [{"at": "1.21.11", "status": "unaffected"}, {"at": "1.18.21", "status": "unaffected"}], "version": "0", "lessThan": "1.22.5", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-02-consul-vulnerable-to-arbitrary-file-reads-through-the-vault-kubernetes-authentication-provider/77232"}], "descriptions": [{"lang": "en", "value": "HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.", "supportingMedia": [{"type": "text/html", "value": "<p>HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.646Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2808", "state": "PUBLISHED", "dateUpdated": "2026-04-17T17:57:55.646Z", "dateReserved": "2026-02-19T15:17:24.550Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2026-03-11T23:08:32.414Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5."}, {"lang": "es", "value": "HashiCorp Consul y Consul Enterprise 1.18.20 hasta 1.21.10 y 1.22.4 son vulnerables a la lectura arbitraria de archivos cuando est\u00e1n configurados con autenticaci\u00f3n de Kubernetes. Esta vulnerabilidad, CVE-2026-2808, est\u00e1 corregida en Consul 1.18.21, 1.21.11 y 1.22.5."}], "id": "CVE-2026-2808", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-03-12T00:16:11.770", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-02-consul-vulnerable-to-arbitrary-file-reads-through-the-vault-kubernetes-authentication-provider/77232"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/hashicorp/consul: HashiCorp Consul: Arbitrary file read via Kubernetes authentication configuration", "id": "2446879", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446879"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-59", "details": ["A flaw was found in HashiCorp Consul. When configured with Kubernetes authentication, a highly privileged attacker can exploit this vulnerability to perform arbitrary file reads. This could lead to the disclosure of sensitive information from the system."], "name": "CVE-2026-2808", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/loki-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Not affected", "package_name": "openshift-logging/loki-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-plugin-event-sender-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/kube-state-metrics-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/prometheus-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/platform-operator-bundle", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "flightctl", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-alert-exporter-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-alertmanager-proxy-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-api-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-cli-artifacts-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-db-setup-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-pam-issuer-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-periodic-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-telemetry-gateway-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-userinfo-proxy-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Not affected", "package_name": "rhem/flightctl-worker-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-kube-state-metrics-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/opentelemetry-collector-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/opentelemetry-rhel9-operator", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/opentelemetry-target-allocator-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/tempo-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/tempo-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "rhoso-operators/openstack-operator-bundle", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-03-11T23:08:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2808\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2808\nhttps://discuss.hashicorp.com/t/hcsec-2026-02-consul-vulnerable-to-arbitrary-file-reads-through-the-vault-kubernetes-authentication-provider/77232"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.22.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Consul", "source": "cna", "vendor": "HashiCorp"}, "product": "consul", "vendor": "hashicorp"}, {"configurations": [{"platform": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.22.5)"}}, {"platform": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.21.11"}}, {"platform": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.18.21"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "consul_enterprise", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-03-17T15:24:46.794879+00:00", "value": {"mitigation_remediation": ["Upgrade HashiCorp Consul to version 1.18.21, 1.21.11, 1.22.5, or later", "Confirm that all Consul instances are fully patched and no older versions remain in the environment", "Review and restrict access to the Vault Kubernetes authentication API to trusted administrators only", "Test that file read functionality is no longer exposed after upgrade"], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "Affected are HashiCorp Consul and Consul Enterprise versions 1.18.20 through 1.21.10 and 1.22.4. Any deployment using these versions with Kubernetes authentication enabled is vulnerable. The issue has been fixed in Consul releases 1.18.21, 1.21.11, and 1.22.5 and later.", "description_and_impact": "HashiCorp Consul and Consul Enterprise are affected by a Path Traversal vulnerability (CWE\u201159) in the Vault Kubernetes authentication provider. The flaw allows an authenticated attacker to craft requests that result in reading arbitrary files from the host filesystem, potentially exposing sensitive configuration data, credentials, or other confidential information. This vulnerability directly compromises confidentiality and could be leveraged as a foothold for further exploitation.", "risk_and_exploitability": "The vulnerability has a CVSS v3.1 score of 6.8 (Medium) and an EPSS score below 1\u202f%, indicating a low probability of widespread exploitation. It does not appear in the CISA KEV catalog. Based on the description, the likely attack vector requires access to the Vault Kubernetes authentication interface; an attacker must be able to send specially crafted requests that bypass proper path validation to read unintended files."}}}}, "created": "2026-03-12T09:55:04.662157+00:00", "updated": "2026-03-20T15:36:38.808529+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$consul", "hashicorp$PRODUCT$consul_enterprise"]}