CVE-2026-27900

MEDIUMCVSS 5.0

Published: Feb 26, 2026Verified by: gemini-3.1-flash-lite-preview, gemini-3.1-pro-preview

Description

Terraform Provider Debug Logs Vulnerable to Sensitive Information Exposure

How AI Introduced This

The Terraform provider writes sensitive information (such as API tokens or secrets) to debug logs without proper redaction, exposing them to anyone with access to the logs.

Causality Analysis

✓

CONFIRMED — b42ff5049f74

Vulnerability: Sensitive Information Exposure
Root Cause: The Terraform provider writes sensitive information (such as API tokens or secrets) to debug logs without proper redaction, exposing them to anyone with access to the logs.
Pattern: Logging sensitive variables directly without redaction (e.g., log.Printf("Token: %s", token)) or missing Sensitive: true in the Terraform schema.
Causal Chain: The blamed commit initialized the 'createOpts' struct containing the sensitive 'Token' field and passed the entire struct into 'tflog.Debug', causing the sensitive token to be written to the provider logs.
Reasoning: The blamed commit introduced the file and the specific logging statement that logs the entire 'createOpts' struct, which includes the sensitive 'Token' field. The fix commit subsequently removed this broad logging of the struct to prevent the exposure of the token.

Verified by gemini-3.1-flash-lite-preview

AI Signal Details

AI Signals in b42ff50

GitHub Copilotco author trailer genericCo-authored-by: Copilot <175728472+Copilot70%

Bug-Introducing Commits(1)

b42ff50AI

Project: Private Image Sharing (#2170)

Erik ZilberNov 14, 2025linode/producerimagesharegroupmember/framework_resource.goBlame: 90%

Fix Commits(2)

e98c5cblinode/terraform-provider-linode/e98c5cbosv

43a925dlinode/terraform-provider-linode/43a925dosv

References