CVE-2026-27640
Sensitive Data Exposure in tfplan2md Due to Masking Bug
Publication date: 2026-02-25
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oocx | tfplan2md | to 1.26.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27640 is a security vulnerability in the tfplan2md software, which converts Terraform plan JSON files into Markdown reports. Before version 1.26.1, a bug caused sensitive values in these reports to be displayed in plaintext instead of being masked as "(sensitive)".'}, {'type': 'paragraph', 'content': 'This issue affected multiple rendering paths including AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. Sensitive data such as passwords and secrets were exposed in the generated reports.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.26.1 by ensuring all sensitive values are properly masked in all output sections unless explicitly revealed with a special flag.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to the unintended exposure of sensitive Terraform values such as passwords, client secrets, and other confidential configuration data in human-readable Markdown reports.
Because these reports may be shared or stored in less secure environments, attackers or unauthorized users could gain access to sensitive information, leading to confidentiality breaches.
The vulnerability has a high severity score (CVSS 8.5) with a network attack vector, low complexity, and requires low privileges and no user interaction, making it relatively easy to exploit remotely.
The primary impact is high confidentiality loss, which could subsequently affect system integrity and availability if attackers leverage the exposed secrets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the exposure of sensitive Terraform values in Markdown reports generated by tfplan2md prior to version 1.26.1. Detection would involve examining the generated Markdown reports for any plaintext sensitive values that should have been masked as "(sensitive)".'}, {'type': 'paragraph', 'content': 'Since the issue is related to the rendering of sensitive data in reports, you can detect it by reviewing tfplan2md output files for unmasked sensitive information such as passwords, client secrets, or other confidential Terraform values.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided in the resources to detect this vulnerability automatically.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade tfplan2md to version 1.26.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'This update ensures that all sensitive Terraform values are properly masked as "(sensitive)" in generated Markdown reports, preventing unintended plaintext exposure.'}, {'type': 'paragraph', 'content': 'No known workarounds are available, so upgrading is the only effective mitigation.'}] [1, 2]