CVE-2026-27900
Published: 26 February 2026
Summary
CVE-2026-27900 is a medium-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Terraform Linode Provider. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-27900 affects the Terraform Provider for Linode in versions prior to v3.9.0. The vulnerability involves the logging of sensitive information, including passwords, StackScript content, and object storage data, in debug logs without proper redaction. Provider debug logging is not enabled by default, but when explicitly activated—for instance, during local troubleshooting, CI/CD jobs, or centralized log collection—this issue exposes the sensitive data in logs that may be retained, shared, or exported beyond the original execution environment.
An authenticated user with access to the provider debug logs, such as through log aggregation systems, CI/CD pipelines, or debug output, can exploit this vulnerability. Exploitation requires the debug logging to be enabled, after which the attacker can extract the unredacted sensitive credentials from the logs. The CVSS v3.1 base score is 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting moderate confidentiality impact with low privileges needed over the network.
Versions 3.9.0 and later of the Terraform Provider for Linode address the issue by sanitizing debug logs, logging only non-sensitive metadata like labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Advisories recommend mitigations including disabling Terraform/provider debug logging or setting it to WARN level or above, restricting access to existing and historical logs, purging or retention-trimming logs that may contain sensitive values, and rotating potentially exposed secrets or credentials. Relevant resources include the GitHub security advisory (GHSA-5rc7-2jj6-mp64), release notes for v3.9.0, and the fixing commit and pull request.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8798
Vulnerability details
The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider…
more
logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Versions 3.9.0 and later sanitize debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Some other mitigations and workarounds are available. Disable Terraform/provider debug logging or set it to `WARN` level or above, restrict access to existing and historical logs, purge/retention-trim logs that may contain sensitive values, and/or rotate potentially exposed secrets/credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly causes sensitive credentials (passwords, tokens, keys) to be written in plaintext to debug logs, enabling adversaries who can access those logs to obtain valid credentials from files without additional dumping or cracking activity.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects audit/debug logs containing unredacted credentials so that only authorized users can access them, blocking the post-enablement exposure path described in the CVE.
Allows explicit configuration of Terraform/provider logging level to WARN or higher, preventing the debug-level output that leaks passwords and tokens.
Requires organizations to define and enforce retention limits and purging procedures for logs that may hold sensitive Linode credentials, limiting long-term exposure after the fact.