Description
Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.
Published: 2026-02-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

An insecure sudo recommendation in the documentation of the Terraform OpenTofu Proxmox Virtual Environment provider allows path traversal using "../", enabling a user to edit any file on the system. This flaw is based on path handling weaknesses (CWE-1188, CWE-22) and, if exploited, could allow an attacker to modify configuration files or scripts, potentially leading to arbitrary code execution or privilege escalation. The impact is limited to the system where the provider is executed, but the capability to edit arbitrary files is severe enough to allow compromise of critical components.

Affected Systems

The vulnerability affects the Terraform/OpenTofu "terraform-provider-proxmox" supplied by bpg. Versions prior to 0.93.1 incorporate the insecure sudo recommendation in their SSH configuration documentation. Systems running this provider with a higher privileged environment that follows the documented sudo line are susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS is less than 1 percent, suggesting a very low probability of exploitation in the wild, and the issue is not listed in CISA's KEV catalog. The likely attack vector requires a user capable of executing the provider or modifying its configuration; the flaw is local to the provider's execution context and is mitigated by updating to a patched version.

Generated by OpenCVE AI on April 17, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the terraform-provider-proxmox to version 0.93.1 or later
  • Modify or omit the insecure sudo line from the SSH configuration; use a sanitized sudo rule that restricts file edits to specific directories
  • Implement input validation that detects and blocks "../" path traversal when constructing file paths or strictly enforce file ownership and permissions to prevent unauthorized writes

Generated by OpenCVE AI on April 17, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gwch-7m8v-7544 terraform-provider-proxmox has insecure sudo recommendation in the documentation
History

Wed, 11 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Bpg terraform Provider
CPEs cpe:2.3:a:bpg:terraform_provider:*:*:*:*:*:proxmox_virtual_environment:*:*
Vendors & Products Bpg terraform Provider
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Bpg
Bpg terraform-provider-proxmox
Vendors & Products Bpg
Bpg terraform-provider-proxmox

Wed, 04 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.
Title terraform-provider-proxmox has insecure sudo recommendation in the documentation
Weaknesses CWE-1188
CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bpg Terraform-provider-proxmox Terraform Provider
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T21:05:30.910Z

Reserved: 2026-02-02T18:21:42.485Z

Link: CVE-2026-25499

cve-icon Vulnrichment

Updated: 2026-02-05T21:05:17.064Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T21:16:01.043

Modified: 2026-02-11T19:17:14.537

Link: CVE-2026-25499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses