CVE-2026-7776 PUBLISHED

Boundary Workers Vulnerable to Denial of Service During TLS Handshake

Assigner: HashiCorp
Reserved: 04.05.2026 Published: 04.05.2026 Updated: 04.05.2026

Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	HashiCorp
Product	Boundary
Versions	Default: unaffected affected from 0.9.0 to 0.21.3 (excl.)

Vendor	HashiCorp
Product	Boundary Enterprise
Versions	Default: unaffected affected from 0.9.0 to 0.21.3 (excl.)

Credits

This issue was identified by the Boundary Engineering team.

References

https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

Impacts

CAPEC-227: Sustained Client Engagement