CVE-2021-41803
Description
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp Consul auto-config feature fails to validate node/segment names before JWT claim interpolation, allowing authenticated attackers to generate TLS certificates and ACL tokens for unintended nodes, leading to denial of service.
Vulnerability
Overview
CVE-2021-41803 is a missing input validation vulnerability in HashiCorp Consul's auto-config feature. The server does not properly validate node or segment names before interpolating them into JWT claim assertions during the auto-config RPC. This allows a crafted request to bypass the intended authorization checks [1][4].
Exploitation
An authenticated attacker (malicious operator) can send a specially crafted auto-config request where the node name in the request does not match the node name in the JWT claim. The server then generates TLS certificates and ACL tokens for the attacker-specified node name, rather than the one authorized by the JWT [4].
Impact
By repeatedly exploiting this flaw, an attacker can force Consul to store unintended node information, leading to an authenticated denial of service. Additionally, the ability to issue credentials for arbitrary node names may enable further unauthorized actions within the cluster [4].
Mitigation
HashiCorp has fixed this vulnerability in Consul versions 1.11.9, 1.12.5, and 1.13.2. Users relying on auto-config should upgrade to these or later versions. No workaround is available [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/consulGo | >= 1.8.1, < 1.11.9 | 1.11.9 |
github.com/hashicorp/consulGo | >= 1.12.0, < 1.12.5 | 1.12.5 |
github.com/hashicorp/consulGo | >= 1.13.0, < 1.13.2 | 1.13.2 |
Affected products
5- HashiCorp/Consuldescription
- osv-coords4 versionspkg:apk/chainguard/traefikpkg:apk/wolfi/traefikpkg:bitnami/consulpkg:golang/github.com/hashicorp/consul
< 2.9.8-r1+ 3 more
- (no CPE)range: < 2.9.8-r1
- (no CPE)range: < 2.9.8-r1
- (no CPE)range: >= 1.8.1, < 1.11.9
- (no CPE)range: >= 1.8.1, < 1.11.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-hr3v-8cp3-68rfghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-41803ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627ghsaWEB
- github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7feeghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHCghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAIghsaWEB
- www.hashicorp.com/blog/category/consulmitre
News mentions
0No linked articles in our index yet.