CVE-2026-27900
Published: 26 February 2026
Summary
CVE-2026-27900 is a medium-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Terraform Linode Provider. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Procedures mandate excluding sensitive data from logs to prevent unauthorized exposure via audit records.
Identifies insertion of sensitive data into logs, allowing detection of unauthorized disclosure.
Cross-organizational coordination enables agreement on what data to include in audit logs, directly reducing insertion of sensitive information.
Identifying logging as a data action allows prevention of sensitive information being inserted into log files.
The process of identifying and eradicating spilled information applies directly to sensitive data inserted into log files.
Specific processing rules for sensitive PII categories commonly include restrictions on logging, making insertion of such data into log files less likely.
PIAs detect planned or existing logging of PII and require removal or protection, preventing insertion of sensitive information into logs.
Limits insertion of sensitive operational details into logs by treating such data as key information requiring protection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly causes sensitive credentials (passwords, tokens, keys) to be written in plaintext to debug logs, enabling adversaries who can access those logs to obtain valid credentials from files without additional dumping or cracking activity.
NVD Description
The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider…
more
logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Versions 3.9.0 and later sanitize debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Some other mitigations and workarounds are available. Disable Terraform/provider debug logging or set it to `WARN` level or above, restrict access to existing and historical logs, purge/retention-trim logs that may contain sensitive values, and/or rotate potentially exposed secrets/credentials.
Deeper analysisAI
CVE-2026-27900 affects the Terraform Provider for Linode in versions prior to v3.9.0. The vulnerability involves the logging of sensitive information, including passwords, StackScript content, and object storage data, in debug logs without proper redaction. Provider debug logging is not enabled by default, but when explicitly activated—for instance, during local troubleshooting, CI/CD jobs, or centralized log collection—this issue exposes the sensitive data in logs that may be retained, shared, or exported beyond the original execution environment.
An authenticated user with access to the provider debug logs, such as through log aggregation systems, CI/CD pipelines, or debug output, can exploit this vulnerability. Exploitation requires the debug logging to be enabled, after which the attacker can extract the unredacted sensitive credentials from the logs. The CVSS v3.1 base score is 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting moderate confidentiality impact with low privileges needed over the network.
Versions 3.9.0 and later of the Terraform Provider for Linode address the issue by sanitizing debug logs, logging only non-sensitive metadata like labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Advisories recommend mitigations including disabling Terraform/provider debug logging or setting it to WARN level or above, restricting access to existing and historical logs, purging or retention-trimming logs that may contain sensitive values, and rotating potentially exposed secrets or credentials. Relevant resources include the GitHub security advisory (GHSA-5rc7-2jj6-mp64), release notes for v3.9.0, and the fixing commit and pull request.
Details
- CWE(s)