Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN221 _____________________________________________________________________ DATE : 26/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running terraform-provider-linode versions prior to 3.9.0. ===================================================================== https://github.com/linode/terraform-provider-linode/security/advisories/GHSA-5rc7-2jj6-mp64 _____________________________________________________________________ Sensitive Information Exposure in Terraform Provider for Linode Debug Logs Moderate zliang-akamai published GHSA-5rc7-2jj6-mp64 Feb 24, 2026 Package terraform-provider-linode (terraform) Affected versions < 3.9.0 Patched versions 3.9.0 Description Impact The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction. Important: Provider debug logging is not enabled by default. This issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. Specifically: Instance creation operations logged the full InstanceCreateOptions struct containing RootPass and StackScriptData Instance disk creation logged InstanceDiskCreateOptions containing RootPass and StackscriptData StackScript update operations logged the complete script content via StackscriptUpdateOptions.Script Image share group member creation logged tokens in ImageShareGroupAddMemberOptions.Token Object storage operations logged full PutObjectInput structures containing user data NodeBalancer config create and update operations logged NodeBalancerConfigCreateOptions and NodeBalancerConfigUpdateOptions containing the SSLKey (TLS private key) An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Patches Update to version v3.9.0 or later, which sanitizes debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Workarounds and Mitigations Disable Terraform/provider debug logging or set it to WARN level or above To disable the logging, you can unset TF_LOG_PROVIDER and TF_LOG environment variables Or you can set them to WARN or ERROR levels to avoid sensitive information logged in INFO and DEBUG levels. See Terraform docs for details: https://developer.hashicorp.com/terraform/internals/debugging Restrict access to existing and historical logs Purge/retention-trim logs that may contain sensitive values Rotate potentially exposed secrets/credentials, including: Root passwords Image share group tokens TLS private keys/certificates used in NodeBalancer configs StackScript content/secrets if embedded Credits This issue was reported to us by Hasan Sheet via Akamai's HackerOne Bug Bounty program. References https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0 #2269 43a925d Severity Moderate 5.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE ID CVE-2026-27900 Weaknesses Weakness CWE-532 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================