Login Sign Up

CVE-2025-4922

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Nomad's ACL policy lookup system can cause incorrect rule application and shadowing, potentially allowing unauthorized access to resources. It affects Nomad Community and Enterprise editions before specific patched versions. Organizations using vulnerable Nomad deployments for workload orchestration are at risk.

💻 Affected Systems

Products:
  • Nomad Community Edition
  • Nomad Enterprise
Versions: All versions before Nomad Community 1.10.2, Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using ACL policies with prefix-based rules

📦 What is this software?

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass ACL policies to access sensitive job data, modify workloads, or escalate privileges within the Nomad cluster.

🟠

Likely Case

Unauthorized users might gain unintended access to job information or resources they shouldn't have permissions for.

🟢

If Mitigated

With proper network segmentation and minimal necessary permissions, impact would be limited to specific namespaces or jobs.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires existing ACL policy access to exploit; detailed technical explanation available in advisory

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nomad Community 1.10.2, Nomad Enterprise 1.10.2, 1.9.10, or 1.8.14

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396

Restart Required: Yes

Instructions:

1. Backup Nomad configuration and data. 2. Download patched version from HashiCorp releases. 3. Stop Nomad service. 4. Replace binary with patched version. 5. Restart Nomad service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict ACL Policy Complexity

all

Simplify ACL policies to avoid complex prefix-based rules that trigger the vulnerability

Review and modify ACL policies to use exact matches instead of prefixes where possible

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Nomad clusters
  • Apply principle of least privilege and audit all ACL policies for unnecessary prefix rules

🔍 How to Verify

Check if Vulnerable:

Check Nomad version with 'nomad version' and compare against affected versions

Check Version:

nomad version

Verify Fix Applied:

Confirm version is 1.10.2 or higher (Community) or patched Enterprise versions, then test ACL policy behavior

📡 Detection & Monitoring

Log Indicators:

  • Unexpected ACL policy evaluation logs
  • Unauthorized access attempts to job resources

Network Indicators:

  • Unusual API calls to Nomad ACL endpoints from unexpected sources

SIEM Query:

source="nomad" AND ("ACL" OR "policy") AND ("denied" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-4922
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-266
EPSS Score: 0.02% exploit probability (4.6th percentile)
Published: June 11, 2025
Last Updated: December 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4922, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)