PT-2026-6429 — Github.Com/Bpg/Terraform-Provider-Proxmox

PT-2026-6429 · Go · Github.Com/Bpg/Terraform-Provider-Proxmox

Published

2026-02-02

Updated

2026-02-02

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Note: It is uncertain whether this constitutes a vulnerability or should be filed as an issue instead.

In the SSH configuration documentation, the sudoer line that was suggested can be escalated to edit any files in the system.

The following line were suggested for addition in the sudoers file:

terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*

But this is highly insecure as the folder can be escaped using ../ and any files can be edited on the system.

Using a terraform user with the previously mentioned line in the /etc/sudoers file, a /etc/sudoers.d/sudo file can be added using this command:

echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo

This grants access to the full root of the node.

This breaches the access limits of the Terraform user.

Use a strict regex on the command to allow only the names that should be pushed by this user.

Example for cloudinit yaml files:

terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-]*.yaml

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

GHSA-GWCH-7M8V-7544

Github.Com/Bpg/Terraform-Provider-Proxmox