2446879 – (CVE-2026-2808) CVE-2026-2808 github.com/hashicorp/consul: HashiCorp Consul: Arbitrary file read via Kubernetes authentication configuration

Bug 2446879 (CVE-2026-2808) - CVE-2026-2808 github.com/hashicorp/consul: HashiCorp Consul: Arbitrary file read via Kubernetes authentication configuration

Summary: CVE-2026-2808 github.com/hashicorp/consul: HashiCorp Consul: Arbitrary file r...

Keywords:
Status:	NEW
Alias:	CVE-2026-2808
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-12 00:01 UTC by OSIDB Bzimport
Modified:	2026-03-12 11:53 UTC (History)
CC List:	39 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-12 00:01:27 UTC

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

Note You need to log in before you can comment on or make changes to this bug.

alcohan
anjoseph
crizzo
dhanak
drosa
dschmidt
dsimansk
eglynn
erezende
gparvin
jbalunas
jcantril
jjoyce
jlanda
jprabhak
jschluet
kingland
kshier
kverlaen
lhh
ljawale
luizcosta
mburns
mgarciac
mnovotny
mwringe
nweather
pahickey
rbobbitt
rhaigner
rojacob
sausingh
sdawley
simaishi
smcdonal
stcannon
teagle
wtam
yguenane