Login Sign Up

CVE-2026-27640

7.5 HIGH

📋 TL;DR

tfplan2md versions before 1.26.1 fail to properly mask sensitive values in Terraform plan reports, exposing secrets like API keys, passwords, and configuration data. This affects anyone using tfplan2md to generate reports from Terraform plans containing sensitive data. The vulnerability occurs in multiple rendering paths including AzApi resources and AzureDevOps variable groups.

💻 Affected Systems

Products:
  • tfplan2md
Versions: All versions before 1.26.1
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users generating reports from Terraform plans containing sensitive data marked with (sensitive) flags.

📦 What is this software?

Tfplan2md by Oocx

View all CVEs affecting Tfplan2md →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive infrastructure secrets (database passwords, API keys, cloud credentials) are exposed in reports, potentially leading to full infrastructure compromise if reports are shared or stored insecurely.

🟠

Likely Case

Accidental exposure of sensitive configuration values in reports shared with team members or stored in version control, potentially violating security policies and compliance requirements.

🟢

If Mitigated

Limited exposure if reports are properly secured with strict access controls and not shared beyond authorized personnel.

🌐 Internet-Facing: LOW (tfplan2md is typically used internally for report generation, not exposed to internet)
🏢 Internal Only: MEDIUM (sensitive data exposure within organization if reports are widely shared)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW (vulnerability triggers automatically during report generation)

No active exploitation reported. The vulnerability is triggered during normal report generation when processing sensitive data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.26.1

Vendor Advisory: https://github.com/oocx/tfplan2md/security/advisories/GHSA-5j8r-g94q-2f39

Restart Required: No

Instructions:

1. Update tfplan2md to version 1.26.1 or later using your package manager. 2. For Go installations: go get github.com/oocx/tfplan2md@v1.26.1. 3. Verify the update with tfplan2md --version.

🔧 Temporary Workarounds

Manual report sanitization

all

Manually review and redact sensitive values from generated reports before sharing

🧯 If You Can't Patch

  • Restrict access to generated reports to only authorized personnel
  • Audit all previously generated reports for exposed sensitive data and secure/delete them

🔍 How to Verify

Check if Vulnerable:

Check tfplan2md version with 'tfplan2md --version'. If version is below 1.26.1, you are vulnerable.

Check Version:

tfplan2md --version

Verify Fix Applied:

After updating, generate a test report with sensitive data and verify sensitive values are masked as '(sensitive)'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual report generation patterns
  • Reports containing unmasked sensitive values

SIEM Query:

Search for file creation/modification events containing tfplan2md output files with potential sensitive data patterns.

📊 Metadata

CVE ID: CVE-2026-27640
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-212
Published: February 25, 2026
Last Updated: March 4, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27640, you might also want to check these:

CVE-2022-2818 9.8

CVE-2022-2818 is an improper removal of sensitive information vulnerability in the cockpit repositor...

Same vulnerability type (CWE-212)
CVE-2020-11684 9.1

CVE-2020-11684 is a memory disclosure vulnerability in AT91bootstrap that fails to properly clear en...

Same vulnerability type (CWE-212)
CVE-2022-0355 8.8

CVE-2022-0355 is an information disclosure vulnerability in the NPM simple-get package where sensiti...

Same vulnerability type (CWE-212)