PT-2026-22075 · Linode · Terraform-Provider-Linode

Hasan Sheet

Published

2026-02-26

Updated

2026-03-25

CVE-2026-27900

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Terraform Provider for Linode versions prior to 3.9.0

Description The Terraform Provider for Linode logged sensitive information, including passwords, StackScript content, and object storage data, in debug logs without redaction. This issue is present when debug/provider logs are explicitly enabled. An authenticated user with access to these logs could extract sensitive credentials. The provider versions 3.9.0 and later sanitize debug logs by redacting sensitive content and logging only non-sensitive metadata.

Recommendations Disable Terraform/provider debug logging or set it to WARN level or above. Restrict access to existing and historical logs. Purge/retention-trim logs that may contain sensitive values. Rotate potentially exposed secrets/credentials.

Exploit

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2026-27900

GHSA-5RC7-2JJ6-MP64

GO-2026-4562

SUSE-SU-2026:1042-1

Affected Products

Terraform-Provider-Linode

PT-2026-22075 · Linode · Terraform-Provider-Linode

CVE-2026-27900

Weakness Enumeration

Related Identifiers

Affected Products

References · 146