HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under `nomad/` that belong to other jobs in the same namespace. Fixed in 1.4.2.

Affected Packages

Go github.com/hashicorp/nomad

Affected versions: 1.4.0 (fixed in 1.4.2)

Related CVEs

CVE-2022-3866

Key Information

GHSA ID

GHSA-7wg4-8m5p-hrfg

Published

November 10, 2022 12:01 PM

Last Modified

May 22, 2023 6:33 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/nomad

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.