Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27640 is a security vulnerability in the tfplan2md software, which converts Terraform plan JSON files into Markdown reports. Before version 1.26.1, a bug caused sensitive values in these reports to be displayed in plaintext instead of being masked as "(sensitive)".'}, {'type': 'paragraph', 'content': 'This issue affected multiple rendering paths including AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. Sensitive data such as passwords and secrets were exposed in the generated reports.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.26.1 by ensuring all sensitive values are properly masked in all output sections unless explicitly revealed with a special flag.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unintended exposure of sensitive Terraform values such as passwords, client secrets, and other confidential configuration data in human-readable Markdown reports.

Because these reports may be shared or stored in less secure environments, attackers or unauthorized users could gain access to sensitive information, leading to confidentiality breaches.

The vulnerability has a high severity score (CVSS 8.5) with a network attack vector, low complexity, and requires low privileges and no user interaction, making it relatively easy to exploit remotely.

The primary impact is high confidentiality loss, which could subsequently affect system integrity and availability if attackers leverage the exposed secrets.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the exposure of sensitive Terraform values in Markdown reports generated by tfplan2md prior to version 1.26.1. Detection would involve examining the generated Markdown reports for any plaintext sensitive values that should have been masked as "(sensitive)".'}, {'type': 'paragraph', 'content': 'Since the issue is related to the rendering of sensitive data in reports, you can detect it by reviewing tfplan2md output files for unmasked sensitive information such as passwords, client secrets, or other confidential Terraform values.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided in the resources to detect this vulnerability automatically.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade tfplan2md to version 1.26.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'This update ensures that all sensitive Terraform values are properly masked as "(sensitive)" in generated Markdown reports, preventing unintended plaintext exposure.'}, {'type': 'paragraph', 'content': 'No known workarounds are available, so upgrading is the only effective mitigation.'}] [1, 2]

Useful 0 Not Useful 0