PatchSiren cyber security CVE debrief
CVE-2026-14468 HashiCorp CVE debrief
CVE-2026-14468 is a vulnerability in HashiCorp Terraform Enterprise's version control system (VCS) ingestion of registry modules. The issue did not correctly enforce the intended boundary on packaged module content, potentially allowing an authenticated user to include and download files from outside the intended repository content. This could expose sensitive files readable by the ingestion process. The vulnerability is fixed in Terraform Enterprise v2.0.4 and v1.2.4. Users should review their deployments and update to a fixed version to mitigate this high-severity vulnerability.
- Vendor
- HashiCorp
- Product
- Terraform Enterprise
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of HashiCorp Terraform Enterprise should be aware of this vulnerability and take steps to ensure their systems are updated to a fixed version. This includes reviewing and monitoring module ingestion processes for potential unauthorized file access and implementing compensating controls to restrict access to sensitive files.
Technical summary
The vulnerability, CVE-2026-14468, is related to the VCS ingestion of registry modules in HashiCorp Terraform Enterprise. The issue allows an authenticated user to potentially include and download files outside the intended repository content, exposing sensitive files. The CVSS score for this vulnerability is 7.7, indicating a high severity. This issue is fixed in Terraform Enterprise v2.0.4 and v1.2.4.
Defensive priority
High priority should be given to updating Terraform Enterprise to a fixed version, as this vulnerability could lead to the exposure of sensitive files. Additionally, reviewing and monitoring module ingestion processes and implementing compensating controls are crucial steps in mitigating this vulnerability.
Recommended defensive actions
- Update Terraform Enterprise to version 2.0.4 or 1.2.4.
- Review and monitor module ingestion processes for potential unauthorized file access.
- Implement compensating controls to restrict access to sensitive files.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-06T21:16:53.000Z and was last modified on 2026-07-07T15:16:42.847Z. The NVD entry is currently Deferred. This vulnerability affects HashiCorp Terraform Enterprise's version control system (VCS) ingestion of registry modules, potentially allowing an authenticated user to include and download files from outside the intended repository content, exposing sensitive files readable by the ingestion process.
Official resources
-
CVE-2026-14468 CVE record
CVE.org
-
CVE-2026-14468 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:53.000Z and has not been modified since then. The NVD entry is currently Deferred.