CVE-2025-1296: Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs
(updated )
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
References
- discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737
- github.com/advisories/GHSA-c3q9-q986-vrwh
- github.com/hashicorp/nomad
- github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6b3
- nvd.nist.gov/vuln/detail/CVE-2025-1296
- pkg.go.dev/vuln/GO-2025-3510
Detect and mitigate CVE-2025-1296 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →