Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.

Affected Packages

Go github.com/hashicorp/nomad

Affected versions: 0 (fixed in 1.9.4)

Related CVEs

CVE-2024-12678

Key Information

GHSA ID

GHSA-hr68-hvgv-xxqf

Published

December 20, 2024 3:30 AM

Last Modified

December 20, 2024 3:05 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/nomad

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.