CVE-2026-27640
Published: 25 February 2026
Summary
CVE-2026-27640 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability in Oocx Tfplan2Md. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Eradication of spilled information from contaminated systems mitigates the effects of improper removal of sensitive data before storage or transfer.
The control requires verified removal of sensitive data before media is made available at a reduced classification level, directly addressing improper removal prior to storage or transfer.
Explicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer.
Retention policies enforce removal or sanitization of sensitive data before storage or transfer per regulatory requirements.
The explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer.
The control implements proper removal of sensitive information before storage or transfer of datasets.
The generate-on-demand-and-delete requirement enforces removal of sensitive information before storage or transfer, preventing improper retention.
Requires explicit removal of sensitive information prior to component transfer or disposal, reducing exposure from retained data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability causes sensitive credentials/secrets from Terraform plans to be written unmasked into Markdown reports (instead of redacted), directly enabling credential access from files and data retrieval from code repositories or CI artifacts where those reports are stored or shared.
NVD Description
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity…
more
detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.
Deeper analysisAI
CVE-2026-27640 is an information disclosure vulnerability (CWE-212) in tfplan2md, a tool for converting Terraform plan JSON files into human-readable Markdown reports. Published on 2026-02-25, it affects versions prior to 1.26.1 and stems from a bug impacting multiple rendering paths, including AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. These flaws cause the tool to render actual sensitive values in reports rather than masking them as "(sensitive)", with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited by any network-accessible attacker requiring no privileges, low complexity, or user interaction. By obtaining the generated Markdown reports—potentially through shared CI/CD pipelines, public repositories, or other distribution channels—attackers can achieve high-impact confidentiality breaches, exposing sensitive Terraform plan data such as credentials, secrets, or configuration details that were intended to be protected.
The issue is fully resolved in tfplan2md version 1.26.1. No workarounds are available. For mitigation details, refer to the GitHub release notes at https://github.com/oocx/tfplan2md/releases/tag/v1.26.1 and the security advisory at https://github.com/oocx/tfplan2md/security/advisories/GHSA-5j8r-g94q-2f39.
Details
- CWE(s)