CVE-2021-41805

HIGH

HashiCorp Consul Enterprise < 1.8.17, 1.9.x < 1.9.11, 1.10.x < 1.10.4 - Incorrect Access Control via Namespace ACL Token

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-41805. PoCs published by blackm4c, acfirthh.

AI-analyzed exploit summary This exploit leverages CVE-2021-41805, an incorrect access control vulnerability in HashiCorp Consul Enterprise, to achieve remote code execution by registering a malicious service with a reverse shell payload. The exploit uses an ACL token with default operator:write permissions to escalate privileges across namespaces.

Description

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

Exploits (2)

nomisec WORKING POC 1 stars

by blackm4c · poc

https://github.com/blackm4c/CVE-2021-41805

View Code ZIP pw:eip

This exploit leverages CVE-2021-41805, an incorrect access control vulnerability in HashiCorp Consul Enterprise, to achieve remote code execution by registering a malicious service with a reverse shell payload. The exploit uses an ACL token with default operator:write permissions to escalate privileges across namespaces.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4

Auth required

Prerequisites: ACL token with operator:write permissions · Network access to the Consul API

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by acfirthh · poc

https://github.com/acfirthh/CVE-2021-41805

View Code ZIP pw:eip

This is a functional exploit for CVE-2021-41805, targeting HashiCorp Consul Enterprise. It leverages an ACL token with operator:write permissions to achieve remote code execution via a reverse shell payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: HashiCorp Consul Enterprise < 1.8.17, 1.9.x < 1.9.11, 1.10.x < 1.10.4

Auth required

Prerequisites: ACL token with operator:write permissions · Network access to the Consul API

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product, Vendor Advisory x_refsource_misc

https://www.hashicorp.com/blog/category/consul

Vendor Advisory x_refsource_misc

https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20211229-0007/

Scores

CVSS v3 8.8

EPSS 0.3479

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (1)

hashicorp/consul 1.7.0 - 1.8.17

Published Dec 12, 2021

Tracked Since Feb 18, 2026