Description
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.
Published: 2026-02-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Value Exposure
Action: Patch Now
AI Analysis

Impact

tfplan2md is a utility that transforms Terraform plan JSON into Markdown reports. A bug in versions before 1.26.1 caused the tool to render sensitive values that should have been masked as "(sensitive)". The weakness is a failure to properly screen confidential data (CWE‑212) and can result in the disclosure of credentials, API keys or other secrets that appear in the generated Markdown.

Affected Systems

The vulnerable product is oocx tfplan2md, all releases before 1.26.1. Affected rendering paths include AzApi resource bodies, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. No other products or vendors are listed as affected, and the fix is included in release v1.26.1.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not in the CISA KEV catalog. Exploitation requires the ability to run tfplan2md against a Terraform plan that contains sensitive data. In many CI/CD pipelines, an internal or compromised user who can invoke the tool or a misconfigured build environment can generate a report that exposes secrets, resulting in a loss of confidentiality.

Generated by OpenCVE AI on April 18, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tfplan2md to version 1.26.1 or later to apply the patch that masks sensitive data correctly.
  • Audit existing Markdown reports created by older tfplan2md versions for exposed secrets and remediate any leaks.
  • Restrict the execution of tfplan2md to trusted CI runners or privileged users, and enforce access controls on the tool and the Terraform plan files.

Generated by OpenCVE AI on April 18, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tfplan2md:tfplan2md:*:*:*:*:*:*:*:* cpe:2.3:a:oocx:tfplan2md:*:*:*:*:*:*:*:*
Vendors & Products Tfplan2md
Tfplan2md tfplan2md

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Tfplan2md
Tfplan2md tfplan2md
CPEs cpe:2.3:a:tfplan2md:tfplan2md:*:*:*:*:*:*:*:*
Vendors & Products Tfplan2md
Tfplan2md tfplan2md
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Oocx
Oocx tfplan2md
Vendors & Products Oocx
Oocx tfplan2md

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.
Title tfplan2md has Sensitive Value Exposure in Generated Reports
Weaknesses CWE-212
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Oocx Tfplan2md
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:21:08.940Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27640

cve-icon Vulnrichment

Updated: 2026-02-25T21:20:30.126Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:04.450

Modified: 2026-03-04T16:01:34.723

Link: CVE-2026-27640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses