Login Sign Up

CVE-2026-25499

7.5 HIGH
Path Traversal

📋 TL;DR

This vulnerability in the Terraform/OpenTofu Proxmox provider allows attackers to escape restricted directories via path traversal (../) in SSH configuration, potentially enabling modification of any file on the system. It affects users who followed the insecure sudoer configuration documentation in versions before 0.93.1. The issue stems from improper path validation in suggested sudoer configurations.

💻 Affected Systems

Products:
  • terraform-provider-proxmox
  • opentofu-provider-proxmox
Versions: All versions before 0.93.1
Operating Systems: All Linux/Unix systems running Proxmox
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if following the insecure sudoer configuration documentation from affected versions.

📦 What is this software?

Terraform Provider by Bpg

View all CVEs affecting Terraform Provider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary file write leading to privilege escalation, service disruption, or data destruction.

🟠

Likely Case

Unauthorized modification of configuration files leading to service disruption or credential theft.

🟢

If Mitigated

Limited impact if proper sudoer configurations and file permissions are already in place.

🌐 Internet-Facing: LOW - Requires SSH access and specific sudoer misconfiguration.
🏢 Internal Only: MEDIUM - Internal attackers with SSH access could exploit if misconfigured.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires SSH access and specific sudoer misconfiguration following vulnerable documentation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.93.1

Vendor Advisory: https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544

Restart Required: No

Instructions:

1. Update terraform-provider-proxmox to version 0.93.1 or later. 2. Run 'terraform init -upgrade' to update provider. 3. Review and update any sudoer configurations following new secure documentation.

🔧 Temporary Workarounds

Secure sudoer configuration

linux

Manually update sudoer configurations to use absolute paths instead of relative paths with ../

Review /etc/sudoers.d/ files and ensure no path traversal sequences (../) are present in allowed commands

🧯 If You Can't Patch

  • Review and correct all sudoer configurations to remove any ../ sequences and use absolute paths only.
  • Restrict SSH access to trusted users and implement strict sudoer auditing.

🔍 How to Verify

Check if Vulnerable:

Check if using terraform-provider-proxmox version <0.93.1 AND have sudoer configurations with ../ sequences.

Check Version:

terraform version | grep -A5 'terraform-provider-proxmox'

Verify Fix Applied:

Confirm terraform-provider-proxmox version is >=0.93.1 and sudoer configurations use secure paths.

📡 Detection & Monitoring

Log Indicators:

  • Sudo command executions with ../ sequences in arguments
  • Unauthorized file modification attempts in system logs

Network Indicators:

  • SSH connections followed by unusual sudo command patterns

SIEM Query:

source="sudo" AND command="*../*"

📊 Metadata

CVE ID: CVE-2026-25499
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
EPSS Score: 0.05% exploit probability (15.6th percentile)
Published: February 4, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25499, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)