Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-4922

Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

Published

2025-06-11T14:15:37.140

Last Modified

2025-12-22T16:37:53.027

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Secondary
CWE-266

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	nomad	< 1.8.14	Yes
Application	hashicorp	nomad	< 1.10.2	Yes
Application	hashicorp	nomad	< 1.9.10	Yes
Application	hashicorp	nomad	< 1.10.2	Yes

References

https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396 Vendor Advisory ([email protected])