CVE-2026-27640
Published: 25 February 2026
Summary
CVE-2026-27640 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability in Oocx Tfplan2Md. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27640 is an information disclosure vulnerability (CWE-212) in tfplan2md, a tool for converting Terraform plan JSON files into human-readable Markdown reports. Published on 2026-02-25, it affects versions prior to 1.26.1 and stems from a bug impacting multiple rendering paths, including AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. These flaws cause the tool to render actual sensitive values in reports rather than masking them as "(sensitive)", with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited by any network-accessible attacker requiring no privileges, low complexity, or user interaction. By obtaining the generated Markdown reports—potentially through shared CI/CD pipelines, public repositories, or other distribution channels—attackers can achieve high-impact confidentiality breaches, exposing sensitive Terraform plan data such as credentials, secrets, or configuration details that were intended to be protected.
The issue is fully resolved in tfplan2md version 1.26.1. No workarounds are available. For mitigation details, refer to the GitHub release notes at https://github.com/oocx/tfplan2md/releases/tag/v1.26.1 and the security advisory at https://github.com/oocx/tfplan2md/security/advisories/GHSA-5j8r-g94q-2f39.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8615
Vulnerability details
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity…
more
detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability causes sensitive credentials/secrets from Terraform plans to be written unmasked into Markdown reports (instead of redacted), directly enabling credential access from files and data retrieval from code repositories or CI artifacts where those reports are stored or shared.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation by updating tfplan2md to version 1.26.1 directly fixes the bug causing sensitive values to render unmasked in Markdown reports.
Monitoring systems and outbound reports for information disclosure detects instances where tfplan2md fails to mask sensitive Terraform plan data.
Information output filtering provides an additional layer to mask or sanitize sensitive values in generated Markdown reports before sharing.