PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14468 HashiCorp CVE debrief

CVE-2026-14468 is a vulnerability in HashiCorp Terraform Enterprise's version control system (VCS) ingestion of registry modules. The issue did not correctly enforce the intended boundary on packaged module content, potentially allowing an authenticated user to include and download files from outside the intended repository content. This could expose sensitive files readable by the ingestion process. The vulnerability is fixed in Terraform Enterprise v2.0.4 and v1.2.4. Users should review their deployments and update to a fixed version to mitigate this high-severity vulnerability.

Vendor
HashiCorp
Product
Terraform Enterprise
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of HashiCorp Terraform Enterprise should be aware of this vulnerability and take steps to ensure their systems are updated to a fixed version. This includes reviewing and monitoring module ingestion processes for potential unauthorized file access and implementing compensating controls to restrict access to sensitive files.

Technical summary

The vulnerability, CVE-2026-14468, is related to the VCS ingestion of registry modules in HashiCorp Terraform Enterprise. The issue allows an authenticated user to potentially include and download files outside the intended repository content, exposing sensitive files. The CVSS score for this vulnerability is 7.7, indicating a high severity. This issue is fixed in Terraform Enterprise v2.0.4 and v1.2.4.

Defensive priority

High priority should be given to updating Terraform Enterprise to a fixed version, as this vulnerability could lead to the exposure of sensitive files. Additionally, reviewing and monitoring module ingestion processes and implementing compensating controls are crucial steps in mitigating this vulnerability.

Recommended defensive actions

  • Update Terraform Enterprise to version 2.0.4 or 1.2.4.
  • Review and monitor module ingestion processes for potential unauthorized file access.
  • Implement compensating controls to restrict access to sensitive files.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-06T21:16:53.000Z and was last modified on 2026-07-07T15:16:42.847Z. The NVD entry is currently Deferred. This vulnerability affects HashiCorp Terraform Enterprise's version control system (VCS) ingestion of registry modules, potentially allowing an authenticated user to include and download files from outside the intended repository content, exposing sensitive files readable by the ingestion process.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:53.000Z and has not been modified since then. The NVD entry is currently Deferred.