CVE-2026-25499

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Terraform / OpenTofu Provider versions prior to 0.93.1

Description The Terraform / OpenTofu Provider for Proxmox Virtual Environment, prior to version 0.93.1, contains an insecure sudoer line in its SSH configuration documentation. This configuration allows for potential path traversal using '../', enabling modification of any file on the system.

Recommendations Update to version 0.93.1 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188CWE-22

Related Identifiers

CVE-2026-25499

GHSA-GWCH-7M8V-7544

GO-2026-4395

SUSE-SU-2026:0403-1

Affected Products

Opentofu

Proxmox Virtual Environment

Terraform

CVE-2026-25499

Weakness Enumeration

Related Identifiers

Affected Products

References · 88