Hashicorp Consul
11 CVEs affecting Hashicorp Consul. Latest disclosed: 2026-03-11. Critical: 0, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-2816 | High | 8.7 | 2023-06-02 | Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy inst… |
CVE-2024-10006 | High | 8.3 | 2024-10-30 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based acces… |
CVE-2024-10005 | High | 8.1 | 2024-10-30 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-bas… |
CVE-2023-3518 | High | 7.4 | 2023-08-09 | HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in… |
CVE-2026-2808 | Medium | 6.8 | 2026-03-11 | HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. T… |
CVE-2025-11374 | Medium | 6.5 | 2025-10-28 | Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This v… |
CVE-2025-11375 | Medium | 6.5 | 2025-10-28 | Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. Th… |
CVE-2024-10086 | Medium | 6.1 | 2024-10-30 | A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-p… |
CVE-2022-3920 | Medium | 5.3 | 2022-11-15 | HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the… |
CVE-2023-1297 | Medium | 4.9 | 2023-06-02 | Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could co… |
CVE-2023-0845 | Medium | 4.9 | 2023-03-09 | Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to… |