A vulnerability was identified in Nomad such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Affected Packages

Go github.com/hashicorp/nomad

Affected versions: 1.2.11 (fixed in 1.4.11)

Go github.com/hashicorp/nomad

Affected versions: 1.5.0 (fixed in 1.5.7)

Related CVEs

CVE-2023-3299

Key Information

GHSA ID

GHSA-9jfx-84v9-2rr2

Published

July 20, 2023 12:30 AM

Last Modified

September 26, 2024 9:43 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/nomad

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.