CVE-2026-2808 is a security vulnerability identified in HashiCorp Consul and Consul Enterprise versions 1.18.20 through 1.21.10 and 1.22.4. The issue arises from improper link resolution before file access, classified under CWE-59, which allows an attacker to perform arbitrary file reads on the system where Consul is deployed. This vulnerability specifically manifests when Consul is configured to use Kubernetes authentication, a common setup in cloud-native environments. The flaw enables an attacker with network access and high privileges (PR:H) to bypass intended file access restrictions by exploiting symbolic link (symlink) handling flaws, potentially reading sensitive files that should be protected. The vulnerability does not require user interaction and does not impact file integrity or system availability, but it compromises confidentiality by exposing potentially sensitive configuration or credential files. The CVSS v3.1 base score is 6.8, reflecting a medium severity level due to the need for elevated privileges and the confidentiality impact. HashiCorp has addressed this vulnerability in Consul versions 1.18.21, 1.21.11, and 1.22.5. No public exploits have been reported to date, but the vulnerability poses a risk in environments where Consul is integrated with Kubernetes authentication, which is prevalent in modern DevOps and cloud infrastructure deployments.

The primary impact of CVE-2026-2808 is the unauthorized disclosure of sensitive information through arbitrary file reads. Attackers who gain high-level access to the network can exploit this vulnerability to access configuration files, credentials, or other sensitive data stored on the Consul server. This can lead to further compromise of the infrastructure, including lateral movement within the network or escalation of privileges. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach can have severe consequences, such as exposure of secrets, API keys, or internal system details. Organizations relying on Kubernetes authentication with Consul are particularly at risk, as this configuration is common in cloud-native and microservices architectures. The vulnerability's exploitation could undermine trust in the security of service discovery and configuration management, potentially impacting DevOps workflows and automated deployment pipelines globally.

To mitigate CVE-2026-2808, organizations should immediately upgrade HashiCorp Consul to the patched versions 1.18.21, 1.21.11, or 1.22.5, depending on their current version. In environments where immediate patching is not feasible, administrators should review and restrict access controls to the Consul server, limiting network exposure and ensuring that only trusted, high-privilege users can access the Kubernetes authentication endpoints. Additionally, auditing and monitoring file access patterns on Consul servers can help detect anomalous behavior indicative of exploitation attempts. It is also advisable to review the configuration of Kubernetes authentication to ensure minimal privileges are granted and to implement network segmentation to isolate Consul instances from untrusted networks. Regularly rotating secrets and credentials stored or managed by Consul can reduce the impact of any potential data exposure. Finally, organizations should maintain up-to-date inventories of their Consul deployments and integrate vulnerability scanning into their CI/CD pipelines to detect and remediate such vulnerabilities promptly.