HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
HashiCorp has released emergency patches for Consul versions 1.18.21, 1.21.11, and 1.22.5 to address CVE-2026-2808, a vulnerability that allows authenticated users with network access to read arbitrary files from the Consul server when Kubernetes authentication is enabled. The advisory, published as HCSEC-2026-02, also includes fixes for denial-of-service risks in Consul's HTTP endpoints.
The Vulnerability
CVE-2026-2808 is classified as medium severity (CVSS 6.8) because it requires network access and elevated privileges to exploit. The flaw exists in how Consul handles symbolic links during Kubernetes authentication token validation. An attacker who can authenticate to Consul's Kubernetes auth method can craft a request that causes the server to follow symlinks and read files outside the intended directory — including configuration files, certificates, and other secrets stored on the Consul server's filesystem.
The vulnerability affects Consul and Consul Enterprise versions from 1.18.20 through 1.21.10 and 1.22.4. Only installations using the Kubernetes authentication method are affected; Consul deployments using other authentication backends are not vulnerable.
Slowloris Protection
The same patch release adds HTTP server timeout configuration for Consul agent endpoints. Without these timeouts, Consul's HTTP API was susceptible to Slowloris-style denial-of-service attacks, where an attacker opens many connections and sends data very slowly, exhausting the server's connection pool without triggering rate limits. The new timeouts apply to both the standard agent HTTP endpoint and the pprof debugging endpoint.
Upgrade Guidance
HashiCorp recommends that all Consul users running affected versions upgrade immediately, particularly those using Kubernetes-based authentication. The fix also addresses similar symlink-following issues in the Vault CA provider and AppRole authentication methods. Consul deployments in Kubernetes environments should audit their file system permissions and verify that the Consul server process runs with minimal file system access.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.
OpenSSL 4.0 Alpha Arrives with Encrypted Client Hello and Post-Quantum Cryptography
The OpenSSL project has released version 4.0.0-alpha1, introducing Encrypted Client Hello (ECH) per RFC 9849 to hide TLS SNI from network observers, alongside new post-quantum cryptographic algorithms. The release also removes the deprecated ENGINE interface and drops SSLv3 support entirely.