CVE-2025-4922

Published: Jun 11, 2025Modified: Dec 22, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security@hashicorp.com (Secondary)

Description

Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

Affected (4)

Products: Hashicorp: Nomad

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Hashicorp Nomad	From 1.4.0 to 1.10.2
Hashicorp Nomad	From 1.10.0 to 1.10.2
Hashicorp Nomad	From 1.4.0 to 1.8.14
Hashicorp Nomad	From 1.9.0 to 1.9.10

Related CWEs

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (1)

https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396

Source: security@hashicorp.com

Vendor Advisory

Timeline

No history available yet.