CVE-2026-14468
Last modified
CVE-2026-14468 is a high-severity vulnerability rated 7.7/10 on the CVSS scale. HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| HashiCorp | Terraform Enterprise | >= 1.0.0, < 2.0.4 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14468?
How severe is CVE-2026-14468?
How do I fix CVE-2026-14468?
Related CVEs from 2026
- CVE-2026-1445A vulnerability was found in iJason-Liu Books_Manager up to …4.7
- CVE-2026-14454Imager versions before 1.033 for Perl treat unsigned EXIF IF…9.8
- CVE-2026-14459Improper neutralization of argument delimiters in a command …8.8
- CVE-2026-1446There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS P…5
- CVE-2026-14460Missing Authorization vulnerability in TUBITAK BILGEM Softwa…8.8
- CVE-2026-14461mtr is vulnerable to Out-of-bound read vulnerability in ipin…5.1
- CVE-2026-1447The Mail Mint plugin for WordPress is vulnerable to Cross-Si…5.4
- CVE-2026-14471Improper Neutralization of Special Elements in the metrics-s…8.6
- CVE-2026-14474A flaw was found in SSSD's LDAP sudo provider. When the ldap…8.8
- CVE-2026-14475The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plug…4.9
- CVE-2026-14476A path traversal flaw was found in SSSD's AD GPO provider. T…8
- CVE-2026-1448A vulnerability was detected in D-Link DIR-615 up to 4.10. T…7.3
Are you affected by CVE-2026-14468?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
