Description
The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Versions 3.9.0 and later sanitize debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Some other mitigations and workarounds are available. Disable Terraform/provider debug logging or set it to `WARN` level or above, restrict access to existing and historical logs, purge/retention-trim logs that may contain sensitive values, and/or rotate potentially exposed secrets/credentials.
Published: 2026-02-26
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch
AI Analysis

Impact

The Terraform Provider for Linode writes authentication keys, passwords, and other sensitive data to debug logs when the provider is compiled with debug logging enabled, without redacting these values. A privileged user who can view the logs—such as a developer, CI/CD runner, or system administrator with access to aggregated log stores—can read credentials, manage tokens, and retrieve StackScript contents stored in the logs. The vulnerability is a classic instance of CWE‑532, where sensitive information is recorded in application logs. The likely attack vector is enabling the provider’s debug mode, which is normally off by default but may be turned on for troubleshooting or when running build pipelines. The disclosure potential arises not from an external network exploit but from internal access to the logs, so the vulnerability’s threat surface depends on the security of the logging infrastructure. Though the CVSS score is 5, indicating moderate severity, the EPSS score is less than 1 % and the issue is not listed as Known Exploited, its exposure of credentials can be fatal if privileged individuals or compromised CI systems gain access to the logs. The consequence is loss of confidentiality and potential compromise of authenticated resources on Linode.

Affected Systems

Linode Terraform provider for versions before 3.9.0. The affected product includes all releases of the Linode provider distributed through Terraform, prior to the 3.9.0 release that introduced log sanitization. The vulnerability applies to all operating environments where provider debug logging might be enabled.

Risk and Exploitability

The risk is moderate, as indicated by CVSS 5, but the exploitation hinges on an internal actor’s ability to read provider debug logs. Because debug logging is disabled by default and the EPSS score is very low, the likelihood of accidental exploitation is small. However, when debug logging is actively enabled—for instance during local debugging, CI/CD runs, or centralized log collection—the attacker could read or export logs and obtain credentials or scripts, especially if those logs are retained and shared. The status in CISA’s KEV catalog is not listed, meaning there is no known mass exploitation yet. The broader CISA KEV listing suggests that securing log access and disabling debug output are effective mitigations.

Generated by OpenCVE AI on April 17, 2026 at 14:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade to version 3.9.0 or later, which sanitizes debug logs.
  • Disable provider debug logging or set the level to WARN or higher to prevent sensitive data from being logged.
  • Limit access to existing debug logs by restricting permissions on log aggregation platforms and enforcing least‑privilege access.
  • Purge or trim historical logs that may contain sensitive values and rotate any credentials that could have been exposed.

Generated by OpenCVE AI on April 17, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5rc7-2jj6-mp64 Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure
History

Wed, 11 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Terraform
Terraform linode Provider
CPEs cpe:2.3:a:terraform:linode_provider:*:*:*:*:*:*:*:*
Vendors & Products Terraform
Terraform linode Provider

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Linode
Linode terraform-provider-linode
Vendors & Products Linode
Linode terraform-provider-linode

Thu, 26 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Versions 3.9.0 and later sanitize debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Some other mitigations and workarounds are available. Disable Terraform/provider debug logging or set it to `WARN` level or above, restrict access to existing and historical logs, purge/retention-trim logs that may contain sensitive values, and/or rotate potentially exposed secrets/credentials.
Title Terraform Provider Debug Logs Vulnerable to Sensitive Information Exposure
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Linode Terraform-provider-linode
Terraform Linode Provider
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:35:31.565Z

Reserved: 2026-02-24T15:19:29.718Z

Link: CVE-2026-27900

cve-icon Vulnrichment

Updated: 2026-02-26T06:21:03.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:20.770

Modified: 2026-03-11T23:22:38.657

Link: CVE-2026-27900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses