Skip to main content

Azure CVE-2026-27640

HIGH
Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)
2026-02-25 security-advisories@github.com
Azure Tfplan2md
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 25, 2026 - 04:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.

AnalysisAI

tfplan2md versions before 1.26.1 fail to properly mask sensitive values in Terraform plan reports across multiple rendering paths, causing credentials and other confidential data to be exposed in plaintext markdown output instead of being redacted. Administrators and developers using affected versions to generate infrastructure reports may inadvertently expose secrets to unauthorized parties with access to the generated documentation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Terraform plan JSON file
Exploit
Process with tfplan2md <1.26.1
Execution
Sensitive values rendered unmasked
Impact
Extract exposed credentials and secrets
Sign in to reveal

Vulnerability AssessmentAI

Exploitation tfplan2md version prior to 1.26.1 processing Terraform plan files containing AzApi resource bodies, AzureDevOps variable groups, or Scriban template context with marked sensitive values. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running tfplan2md and assess whether they process sensitive infrastructure plans; isolate or restrict access to affected instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27640 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy