Skip to content
PortsDB

Port reference

Port 8500 (TCP) – HashiCorp Consul HTTP API

HTTP API and web UI for HashiCorp Consul service discovery, KV store, and health checks.

tcpRegisteredCommonly attacked

Default state

Open on Consul agents/servers. Without ACLs the API is unauthenticated, so anyone reaching 8500 can read and modify cluster state.

Common attacks

  • Exposed unauthenticated API leaking service catalog and KV secrets
  • Remote code execution via registered script health checks
  • Tampering with service discovery to reroute or poison traffic
  • Internal recon by enumerating nodes, services, and metadata

Hardening

  • Enable Consul ACLs with a default-deny policy
  • Bind the API to private interfaces; never expose 8500 to the internet
  • Disable script checks or restrict them (enable_script_checks=false)
  • Require TLS and tokens for API access
  • Firewall 8500/8600 to cluster members and trusted clients only

nmap snippet

nmap -p8500 --script http-title,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 8500?

Port 8500 serves the HashiCorp Consul HTTP API and web UI. Applications and operators use it for service discovery, the key/value store, and health checks across a Consul cluster. Consul's DNS interface runs separately on 8600, while gossip and RPC use other ports.

Why it matters for security

Consul holds a map of your infrastructure plus secrets in its KV store. By default the API has no authentication until ACLs are enabled, so anyone reaching 8500 can read and modify cluster state. Worse, Consul can run script health checks — a feature that turns API write access into command execution on agents.

How it's attacked

Attackers find an exposed, unauthenticated 8500, dump the service catalog and KV secrets, and enumerate nodes and metadata for internal recon. They tamper with service discovery to reroute or poison traffic, and where script checks are enabled they register a malicious check to achieve remote code execution on Consul agents.

Hardening checklist

Enable Consul ACLs with a default-deny policy and require tokens for API access. Bind the API to private interfaces and keep 8500 off the public internet. Disable script checks (enable_script_checks=false) or tightly restrict them, and require TLS for the API. Firewall 8500 and 8600 to cluster members and trusted clients only. Use the nmap snippet to check exposure on systems you are authorized to test. </content>

Related ports

Port 8600Port 8501Port 8300Port 8080

Frequently asked questions

What is port 8500 used for?
It serves the HashiCorp Consul HTTP API and web UI, used for service discovery, the key/value store, and health checks. Consul's DNS interface runs separately on 8600.
Why is an exposed Consul API dangerous?
Without ACLs, anyone reaching 8500 can read the service catalog and KV secrets, tamper with service discovery, and even achieve RCE through script health checks. Enable ACLs, require TLS, and keep 8500 off the internet.