Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
Consul: Unsecured access to sensitive files via Kubernetes authentication
CVE-2026-2808
GHSA-cpfq-66p2-336j
BIT-consul-2026-2808
Summary
Using Consul with Kubernetes authentication can allow unauthorized access to files on the system. This is a concern because sensitive data could be exposed. Update to Consul version 1.18.21, 1.21.11, or 1.22.5 to fix this issue.
What to do
- Update github.com hashicorp to version 1.18.21.
- Update github.com hashicorp to version 1.22.5.
- Update github.com hashicorp to version 1.21.11.
- Update consul to version 1.22.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | hashicorp | <= 1.18.21 | 1.18.21 |
| github.com | hashicorp | > 1.22.0-rc1 , <= 1.22.5 | 1.22.5 |
| github.com | hashicorp | > 1.19.0 , <= 1.21.11 | 1.21.11 |
| – | consul | <= 1.22.5 | 1.22.5 |
Original title
Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider
Original description
HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
nvd CVSS3.1
6.8
Vulnerability type
CWE-59
Link Following
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026