CVE-2026-14468
Path traversal allows arbitrary file read in Terraform Enterprise container
CVSS Score
7.7
EPSS Score
0.3%
EPSS Percentile
21th
HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. This may allow an authenticated user to include files from outside the intended repository content in a module and then download them, potentially exposing sensitive files readable by the ingestion process. This vulnerability, CVE-2026-14468, is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
| CWE | CWE-22 |
| Vendor | hashicorp |
| Product | terraform enterprise |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for hashicorp terraform enterprise
Be the first to know when new high vulnerabilities affecting hashicorp terraform enterprise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
HashiCorp / Terraform Enterprise
1.0.0 < 2.0.4
References
Credits
This issue was identified by the Terraform Enterprise engineering team.