JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access
Description
HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-3518: HashiCorp Consul 1.16.0 JWT Auth for service mesh incorrectly allows or denies access regardless of service identities, fixed in 1.16.1.
Vulnerability
CVE-2023-3518 is a vulnerability in HashiCorp Consul and Consul Enterprise 1.16.0 where JWT authentication for service mesh layer 7 intentions incorrectly allows or denies access regardless of the service identity (mTLS certificate). The issue was found during internal testing by the Consul engineering team [3].
Exploitation
The attack surface is specific to Consul deployments that use JWT authentication in the service mesh. An attacker who can craft requests to the mesh may exploit the misconfiguration: when two source intentions that restrict access with different JWT providers are configured, only one JWT validation configuration is used. This can allow some service identities to be incorrectly authenticated with mismatching JWTs [2][3].
Impact
Successful exploitation could allow an attacker to bypass intended access controls. Depending on the network configuration, this could result in unauthorized access to services within the mesh, potentially exposing sensitive data or allowing further network traversal. The vulnerability does not require special privileges beyond the ability to interact with the affected service mesh endpoints [3].
Mitigation
HashiCorp released Consul 1.16.1, which fixes the issue. Users of Consul 1.16.0 are advised to upgrade to 1.16.1 or later. No workarounds are mentioned in the advisory. The vulnerability was internally discovered and reported by HashiCorp's engineering team [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/consulGo | >= 1.16.0, < 1.16.1 | 1.16.1 |
Affected products
10- osv-coords8 versionspkg:apk/chainguard/consul-1.16pkg:apk/chainguard/consul-1.16-oci-entrypointpkg:apk/chainguard/consul-1.16-oci-entrypoint-compatpkg:apk/wolfi/consul-1.16pkg:apk/wolfi/consul-1.16-oci-entrypointpkg:apk/wolfi/consul-1.16-oci-entrypoint-compatpkg:bitnami/consulpkg:golang/github.com/hashicorp/consul
< 1.16.1-r0+ 7 more
- (no CPE)range: < 1.16.1-r0
- (no CPE)range: < 1.16.1-r0
- (no CPE)range: < 1.16.1-r0
- (no CPE)range: < 1.16.1-r0
- (no CPE)range: < 1.16.1-r0
- (no CPE)range: < 1.16.1-r0
- (no CPE)range: >= 1.16.0, < 1.16.1
- (no CPE)range: >= 1.16.0, < 1.16.1
- HashiCorp/Consulv5Range: 1.16.0
- HashiCorp/Consul Enterprisev5Range: 1.16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.