๐Ÿ” CVE Alert

CVE-2026-14468

HIGH 7.7

Path traversal allows arbitrary file read in Terraform Enterprise container

CVSS Score
7.7
EPSS Score
0.3%
EPSS Percentile
21th

HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.

CWE CWE-22
Vendor hashicorp
Product terraform enterprise
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for hashicorp terraform enterprise

Be the first to know when new high vulnerabilities affecting hashicorp terraform enterprise are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

HashiCorp / Terraform Enterprise
1.0.0 < 2.0.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-17-terraform-enterprise-vulnerable-to-arbitrary-file-read/77549

Credits

This issue was identified by the Terraform Enterprise engineering team.