Cyber Resilience

CVE-2026-27900

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
EPSS Score 0.0001 2.7th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27900 is a medium-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Terraform Linode Provider. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-27900 affects the Terraform Provider for Linode in versions prior to v3.9.0. The vulnerability involves the logging of sensitive information, including passwords, StackScript content, and object storage data, in debug logs without proper redaction. Provider debug logging is not enabled by default, but when explicitly activated—for instance, during local troubleshooting, CI/CD jobs, or centralized log collection—this issue exposes the sensitive data in logs that may be retained, shared, or exported beyond the original execution environment.

An authenticated user with access to the provider debug logs, such as through log aggregation systems, CI/CD pipelines, or debug output, can exploit this vulnerability. Exploitation requires the debug logging to be enabled, after which the attacker can extract the unredacted sensitive credentials from the logs. The CVSS v3.1 base score is 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting moderate confidentiality impact with low privileges needed over the network.

Versions 3.9.0 and later of the Terraform Provider for Linode address the issue by sanitizing debug logs, logging only non-sensitive metadata like labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Advisories recommend mitigations including disabling Terraform/provider debug logging or setting it to WARN level or above, restricting access to existing and historical logs, purging or retention-trimming logs that may contain sensitive values, and rotating potentially exposed secrets or credentials. Relevant resources include the GitHub security advisory (GHSA-5rc7-2jj6-mp64), release notes for v3.9.0, and the fixing commit and pull request.

EU & UK References

Vulnerability details

The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider…

more

logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Versions 3.9.0 and later sanitize debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Some other mitigations and workarounds are available. Disable Terraform/provider debug logging or set it to `WARN` level or above, restrict access to existing and historical logs, purge/retention-trim logs that may contain sensitive values, and/or rotate potentially exposed secrets/credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The vulnerability directly causes sensitive credentials (passwords, tokens, keys) to be written in plaintext to debug logs, enabling adversaries who can access those logs to obtain valid credentials from files without additional dumping or cracking activity.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24762Shared CWE-532
CVE-2024-7577Shared CWE-532
CVE-2026-34487Shared CWE-532
CVE-2025-1075Shared CWE-532
CVE-2025-30205Shared CWE-532
CVE-2026-23775Shared CWE-532
CVE-2026-25193Shared CWE-532
CVE-2026-44516Shared CWE-532
CVE-2026-44052Shared CWE-532
CVE-2025-11008Shared CWE-532

Affected Assets

terraform
linode provider
≤ 3.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects audit/debug logs containing unredacted credentials so that only authorized users can access them, blocking the post-enablement exposure path described in the CVE.

prevent

Allows explicit configuration of Terraform/provider logging level to WARN or higher, preventing the debug-level output that leaks passwords and tokens.

recover

Requires organizations to define and enforce retention limits and purging procedures for logs that may hold sensitive Linode credentials, limiting long-term exposure after the fact.

References