Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Affected Packages

Go github.com/hashicorp/boundary

Affected versions: 0.8.0 (fixed in 0.15.0)

Related CVEs

CVE-2024-1052

Key Information

GHSA ID

GHSA-vh73-q3rw-qx7w

Published

February 5, 2024 9:30 PM

Last Modified

February 5, 2024 11:06 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/boundary

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.