{
  "variant_id": "CVE-2026-7474-variant-analysis",
  "created_at": "2026-05-28T19:24:00Z",
  "variant_summary": "Variant analysis for CVE-2026-7474: tested path traversal, symlink escape, and Register->Delete chain against the fixed version v2.0.1. No bypass confirmed. Client-side os.OpenRoot blocks all direct traversal variants.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/hashicorp/nomad",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "v2.0.0",
    "display": "hashicorp/nomad v2.0.0"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "5c11f948ba7e9e709abf7f2ab7895ba5b44feb39",
    "version": "v2.0.1",
    "display": "hashicorp/nomad v2.0.1"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "HostVolume.Create with malicious PluginID",
  "validated_surface": "NewHostVolumePluginExternal sink reached via Create, Delete, or restore; blocked by os.OpenRoot on fixed version",
  "required_entrypoint_kind": "api_endpoint",
  "required_entrypoint_detail": "HostVolume.Create or HostVolume.Register followed by HostVolume.Delete RPC",
  "attacker_controlled_input": "PluginID field in HostVolume create/register request",
  "trigger_path": "client/hostvolumemanager/host_volumes.go:getPlugin -> client/hostvolumemanager/host_volume_plugin.go:NewHostVolumePluginExternal -> exec.CommandContext",
  "observed_impact_class": "arbitrary_command_execution",
  "exploitability_confidence": "high_on_vulnerable_blocked_on_fixed",
  "evidence_scope": "code_analysis_and_unit_test",
  "runtime_manifest_present": false,
  "end_to_end_target_reached": false,
  "inferred": false,
  "file_path": "client/hostvolumemanager/host_volume_plugin.go",
  "line_start": 224,
  "line_end": 250,
  "secondary_anchors": [
    {
      "file_path": "nomad/host_volume_endpoint.go",
      "line_start": 535,
      "line_end": 570
    },
    {
      "file_path": "client/hostvolumemanager/host_volumes.go",
      "line_start": 197,
      "line_end": 230
    }
  ],
  "review_scope_paths": [
    "client/hostvolumemanager/host_volume_plugin.go",
    "client/hostvolumemanager/host_volumes.go",
    "nomad/host_volume_endpoint.go",
    "nomad/structs/host_volumes.go"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "",
    "repro_log": "logs/vuln_variant/",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": ["vuln_variant/reproduction_steps.sh", "vuln_variant/variant_test.go"]
  }
}