Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation

A vulnerability in HashiCorp Nomad and Nomad Enterprise versions 1.5.0 to 1.5.2 allows unauthenticated users to bypass intended ACL authorizations. The issue occurs when mTLS is not enabled: an unauthenticated HTTP request sent to a client agent's HTTP endpoint is processed on the server through internal RPCs without proper ACL checks [1][3].

An attacker with network access to the Nomad client agent's HTTP endpoint can exploit this by sending crafted unauthenticated requests. This bypass relies on the absence of mTLS, which is recommended for secure deployments. No authentication is required, making the attack surface accessible to any unauthenticated party on the network [3].

Successful exploitation allows the attacker to submit jobs to the cluster, effectively escalating privileges to perform actions normally restricted by ACLs. This can lead to unauthorized workload execution and potential compromise of the cluster [3].

The vulnerability is fixed in Nomad version 1.5.3. HashiCorp strongly recommends upgrading to this version or later, and enabling mTLS for all HTTP and RPC endpoints as a security best practice [1][3].