Low severityNVD Advisory· Published Jul 19, 2023· Updated Oct 17, 2024

Nomad Caller ACL Token's Secret ID is Exposed to Sentinel

CVE-2023-3299

Description

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HashiCorp Nomad Enterprise ACL token secret ID exposed to Sentinel policies via unlabeled block, allowing potential leakage; fixed in versions 1.6.0, 1.5.7, 1.4.11.

Vulnerability

Overview

CVE-2023-3299 affects HashiCorp Nomad Enterprise versions 1.2.11 through 1.5.6 and 1.4.10. The vulnerability arises when ACL policies use a block without a label, causing the API caller's ACL token secret ID to be inadvertently exposed to Sentinel policies [1][3]. This exposure is not required for policy enforcement and can lead to unintended disclosure of sensitive credentials.

Exploitation

Prerequisites

Exploitation requires management-level privileges to submit a Sentinel policy to a Nomad cluster. An attacker must explicitly read the secret ID from the token using the expression nomad_acl_token.secret_id within the policy [3]. This means only users with administrative access can directly exploit the flaw, but the risk is that a poorly written policy could leak the secret ID to command or API output.

Impact

If successfully exploited, an attacker with a management token could craft a Sentinel policy that captures the secret ID of the caller's ACL token. This could lead to token theft and subsequent unauthorized access to the Nomad cluster, potentially compromising the entire workload orchestration environment [3].

Mitigation

HashiCorp has fixed this vulnerability in Nomad Enterprise versions 1.6.0, 1.5.7, and 1.4.11 [1][3]. Users are strongly advised to upgrade to these versions or later. No workarounds are documented; upgrading is the recommended remediation.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/nomadGo	>= 1.2.11, < 1.4.11	1.4.11
github.com/hashicorp/nomadGo	>= 1.5.0, < 1.5.7	1.5.7

Affected products

ghsa-coords
pkg:golang/github.com/hashicorp/nomad
Range: >= 1.2.11, < 1.4.11
HashiCorp/Nomad Enterprisev5
Range: 1.2.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9jfx-84v9-2rr2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-3299ghsaADVISORY
discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271ghsaWEB
github.com/hashicorp/nomad/issues/17907ghsaWEB
pkg.go.dev/vuln/GO-2024-2669ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000