← back
CVE-2026-14468

Path traversal allows arbitrary file read in Terraform Enterprise container

CVSS 7.7 HIGHEPSS 0.3%CWE-22
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.7EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
06 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N