HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

A flaw was found in HashiCorp Consul. When configured with Kubernetes authentication, a highly privileged attacker can exploit this vulnerability to perform arbitrary file reads. This could lead to the disclosure of sensitive information from the system.

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22. ...

Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication