CVE-2026-27640 Overview
CVE-2026-27640 is a Sensitive Data Exposure vulnerability affecting tfplan2md, a software tool designed to convert Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths including AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This flaw caused reports to render values that should have been masked as "(sensitive)" instead, potentially exposing confidential infrastructure configuration data.
Critical Impact
Sensitive infrastructure configuration values, credentials, and secrets that should be masked in Terraform plan reports may be inadvertently exposed to unauthorized parties through improperly rendered Markdown output.
Affected Products
- tfplan2md versions prior to 1.26.1
- Systems utilizing AzApi resource body property rendering
- Environments using AzureDevOps variable group integration with tfplan2md
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27640 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27640
Vulnerability Analysis
This vulnerability is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer). The core issue lies in the failure of tfplan2md to properly mask sensitive values across multiple rendering pathways. When processing Terraform plan JSON files, the tool is designed to identify and redact sensitive values by replacing them with "(sensitive)" markers. However, a bug in the implementation caused this masking logic to fail in specific contexts.
The vulnerability affects four distinct rendering paths within the application: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and the hierarchical sensitivity detection mechanism. Each of these paths failed to properly propagate or detect the sensitivity flag, resulting in plaintext exposure of values that should have been protected.
Root Cause
The root cause stems from improper information removal logic (CWE-212) where the sensitivity detection and masking functionality did not correctly traverse or handle nested data structures across the affected rendering paths. The hierarchical sensitivity detection, in particular, failed to properly inherit sensitivity markers from parent objects to child properties, allowing sensitive values to bypass the masking mechanism.
Attack Vector
The vulnerability is exploitable over a network vector with low attack complexity. An attacker with low-privilege access to generated Markdown reports could view sensitive infrastructure configuration data that should have been redacted. This is particularly concerning in CI/CD pipeline environments where Terraform plan outputs are shared via pull request comments, wiki pages, or documentation systems.
The exposure could include sensitive information such as database connection strings, API keys, service principal credentials, or other secrets embedded in Terraform configurations that rely on the sensitivity masking feature for protection during report generation.
Detection Methods for CVE-2026-27640
Indicators of Compromise
- Review generated Markdown reports for unexpected exposure of configuration values that should display as "(sensitive)"
- Audit CI/CD pipeline artifacts for Terraform plan reports containing unmasked credential or secret values
- Check historical reports generated with tfplan2md versions prior to 1.26.1 for potential data exposure
Detection Strategies
- Implement automated scanning of generated Markdown output to detect patterns consistent with exposed credentials (API keys, connection strings, tokens)
- Monitor tfplan2md version in use across development and CI/CD environments to identify vulnerable installations
- Enable audit logging for systems that consume or display tfplan2md-generated reports
Monitoring Recommendations
- Configure alerts for Markdown reports containing values matching known sensitive patterns (AWS keys, Azure credentials, database passwords)
- Implement file integrity monitoring on systems storing generated Terraform plan reports
- Review access logs for systems hosting potentially exposed infrastructure documentation
How to Mitigate CVE-2026-27640
Immediate Actions Required
- Upgrade tfplan2md to version 1.26.1 or later immediately
- Audit all previously generated Markdown reports for sensitive data exposure
- Rotate any credentials or secrets that may have been exposed in generated reports
- Review access controls on systems storing or displaying Terraform plan documentation
Patch Information
The vulnerability has been fixed in tfplan2md version 1.26.1. The patch addresses the sensitivity masking logic across all four affected rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. Users should upgrade to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to the GitHub tfplan2md Release v1.26.1 and the GitHub Security Advisory GHSA-5j8r-g94q-2f39.
Workarounds
- No known workarounds are available according to the vendor advisory
- As an interim measure, manually review all generated reports before publishing to ensure sensitive values are not exposed
- Consider temporarily disabling automated publishing of Terraform plan reports until the upgrade is complete
- Restrict access to generated Markdown reports to minimize exposure risk
# Upgrade tfplan2md to the patched version
# Using your package manager or directly from GitHub releases
# Verify installed version after upgrade
tfplan2md --version
# Expected output: 1.26.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
