{
  "cve_id": "CVE-2026-7474",
  "ghsa_id": "GHSA-hx53-77qj-8663",
  "vulnerability_type": "Path Traversal leading to Arbitrary Command Execution",
  "cwe_ids": ["CWE-22", "CWE-78"],
  "cvss_3.1_score": 8.8,
  "affected_product": "HashiCorp Nomad / Nomad Enterprise",
  "affected_versions": "Prior to v2.0.1",
  "fixed_version": "v2.0.1",
  "reproduction_status": "CONFIRMED",
  "verdict": "VULNERABILITY_REPRODUCED",
  "reproduction_timestamp": "2026-05-28T18:38:23Z",
  "reproduction_method": "Runtime execution of vulnerable and fixed Nomad binaries with path traversal payload",
  "vulnerable_binary_version": "v2.0.0",
  "fixed_binary_version": "v2.0.1",
  "payload": "../../../../bin/ls",
  "attack_vector": "Authenticated user with host-volume-create ACL sends HostVolume.Create request with malicious PluginID and explicit NodeID",
  "evidence": {
    "vulnerable_execution": {
      "description": "Vulnerable Nomad v2.0.0 accepted path traversal payload and executed arbitrary binary",
      "http_status": 500,
      "response_body": "HostVolume.Create error: error creating volume \"f09840bb-a5d8-0b96-39c6-77deafd35c19\" with plugin \"../../../../bin/ls\": exit status 2",
      "interpretation": "The server forwarded the request to the client, which resolved the traversal sequence to /bin/ls and executed it with the 'create' subcommand. /bin/ls exits with code 2 because it does not recognize the 'create' argument, proving arbitrary code execution occurred.",
      "log_file": "logs/vulnerable_api.txt",
      "cve_repro_output": "VULNERABLE: executable escaped to /bin/ls\nFingerprint error (proves execution): error fingerprinting plugin \"../../../../bin/ls\": exit status 2\nexit status 1"
    },
    "fixed_execution": {
      "description": "Fixed Nomad v2.0.1 rejected the request before forwarding to client",
      "http_status": 500,
      "response_body": "could not place volume \"cve-test-vol\": node 33225465-afa9-a5c1-2acf-02c0de00879a is not feasible for volume",
      "interpretation": "The server now enforces plugin feasibility constraints even when an explicit NodeID is provided, blocking the request before it reaches the client and preventing path traversal exploitation.",
      "log_file": "logs/fixed_api.txt",
      "cve_repro_output": "BLOCKED: no such plugin: \"../../../../bin/ls\""
    }
  },
  "root_cause_summary": "NewHostVolumePluginExternal in client/hostvolumemanager/host_volume_plugin.go used filepath.Join(pluginDir, filename) without validating that filename stays within pluginDir. A malicious PluginID containing '../' sequences resolved to arbitrary filesystem paths. The server-side placeHostVolume shortcut skipped feasibility checks when an explicit NodeID was present, allowing the malicious request to reach the client.",
  "fix_summary": "The fix in v2.0.1 adds server-side plugin feasibility validation even for explicit NodeID requests and client-side path containment checks using os.OpenRoot or equivalent validation to prevent directory traversal.",
  "confidence": "HIGH",
  "test_repeatability": "IDEMPOTENT",
  "notes": "Reproduction confirmed via both direct Go module test (cve_repro.go) and full Nomad agent API test (reproduction_steps.sh). Both methods independently confirm the vulnerability in v2.0.0 and its remediation in v2.0.1."
}