Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs
Description
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nomad unintentionally logs unredacted workload identity JWTs (OIDC client secret) to audit logs, enabling token theft and impersonation.
Vulnerability
Description CVE-2025-1296 is an information exposure vulnerability in HashiCorp Nomad (both Community and Enterprise editions). The audit logging mechanism failed to redact sensitive tokens — namely the workload identity JWT and the OIDC client secret — before writing them to log files and the event stream [4]. The root cause was that the ACLAuthMethod struct was serialized directly without calling a sanitization step, leaving secret fields such as OIDCClientSecret in plaintext [3].
Attack
Vector and Prerequisites An attacker who gains read access to Nomad’s audit logs or event stream can harvest these unredacted tokens. This could occur if a log aggregator is misconfigured, if logs are stored in a shared directory, or if a separate vulnerability allows unauthorized file read. No additional authentication is required to leverage the exposed secrets once the logs are accessible [4].
Impact
With the stolen workload identity token, an attacker can impersonate the workload or the authenticated user associated with the OIDC flow. Exposure of the OIDC client secret permits unauthorized access to protected resources and services configured with that OAuth provider [4]. The confidentiality of downstream systems is directly compromised.
Mitigation
The vulnerability is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19 [1][4]. The remediation introduces a Sanitize() method that replaces the OIDCClientSecret with the literal string "redacted" in API responses and event stream objects [3]. Administrators should upgrade immediately and rotate any exposed secrets.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/nomadGo | <= 1.9.6 | — |
Affected products
4- ghsa-coords2 versionspkg:golang/github.com/hashicorp/nomadpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
<= 1.9.6+ 1 more
- (no CPE)range: <= 1.9.6
- (no CPE)range: < 0.0.20250313T170021-1.1
- HashiCorp/Nomadv5Range: 1.0.0
- HashiCorp/Nomad Enterprisev5Range: 1.0.0
Patches
1dc482bf9058fauth: redact auth method client secret (#25328)
5 files changed · +39 −1
.changelog/25328.txt+3 −0 added@@ -0,0 +1,3 @@ +```release-note:security +auth: Redact OIDC client secret from API responses and event stream ([CVE-2025-1296](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1296)) +```
nomad/acl_endpoint.go+1 −1 modified@@ -2084,7 +2084,7 @@ func (a *ACL) GetAuthMethod( // We didn't encounter an error looking up the index; set the auth // method on the reply and exit successfully. - reply.AuthMethod = out + reply.AuthMethod = out.Sanitize() return nil }, })
nomad/state/events.go+2 −0 modified@@ -110,6 +110,7 @@ func eventFromChange(change memdb.Change) (structs.Event, bool) { if !ok { return structs.Event{}, false } + before = before.Sanitize() return structs.Event{ Topic: structs.TopicACLAuthMethod, Key: before.Name, @@ -283,6 +284,7 @@ func eventFromChange(change memdb.Change) (structs.Event, bool) { if !ok { return structs.Event{}, false } + after = after.Sanitize() return structs.Event{ Topic: structs.TopicACLAuthMethod, Key: after.Name,
nomad/structs/acl.go+15 −0 modified@@ -978,6 +978,21 @@ func (a *ACLAuthMethod) Validate(minTTL, maxTTL time.Duration) error { return mErr.ErrorOrNil() } +// Sanitize returns a copy of the ACLAuthMethod with any secrets redacted +func (a *ACLAuthMethod) Sanitize() *ACLAuthMethod { + if a == nil || a.Config == nil { + return a + } + // copy to ensure we do not mutate a pointer pulled directly out of state. + clean := a.Copy() + // clean nested structs here, so it's obvious what all is being cleaned + // in one spot, rather than follow a stack of sanitization calls. + if clean.Config.OIDCClientSecret != "" { + clean.Config.OIDCClientSecret = "redacted" + } + return clean +} + // TokenLocalityIsGlobal returns whether the auth method creates global ACL // tokens or not. func (a *ACLAuthMethod) TokenLocalityIsGlobal() bool {
nomad/structs/acl_test.go+18 −0 modified@@ -1263,6 +1263,24 @@ func TestACLAuthMethod_Validate(t *testing.T) { } } +// Sanitize method should redact sensitive values +func TestACLAuthMethod_Sanitize(t *testing.T) { + // these just shouldn't nil panic + am := &ACLAuthMethod{} + am.Sanitize() + am.Config = &ACLAuthMethodConfig{} + am.Sanitize() + + t.Run("client secret", func(t *testing.T) { + am := am.Copy() + am.Config.OIDCClientSecret = "very private secret" + dirty := am.Config.OIDCClientSecret + clean := am.Sanitize().Config.OIDCClientSecret + must.Eq(t, "very private secret", dirty) + must.Eq(t, "redacted", clean) + }) +} + func TestACLAuthMethod_Merge(t *testing.T) { ci.Parallel(t)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c3q9-q986-vrwhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1296ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737ghsaWEB
- github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6b3ghsaWEB
- pkg.go.dev/vuln/GO-2025-3510ghsaWEB
News mentions
0No linked articles in our index yet.