Plattform
go
Komponente
github.com/bpg/terraform-provider-proxmox
Behoben in
0.93.2
0.93.1
CVE-2026-25499 addresses an insecure sudo recommendation within the documentation for the Terraform Provider Proxmox. This flaw could lead to unintended privilege escalation if users follow the suggested configuration. The vulnerability impacts versions of the provider prior to 0.93.1, and a fix has been released in version 0.93.1.
The core issue lies in the Terraform Provider Proxmox documentation recommending sudo configurations that are not sufficiently restrictive. An attacker who gains access to a system where the provider is used and the insecure sudo configuration is implemented could leverage this to escalate their privileges. This could allow them to perform actions beyond their intended scope, potentially compromising the entire Proxmox environment managed by Terraform. The impact is amplified in environments where Terraform is used to automate infrastructure provisioning and management, as a compromised provider could lead to widespread system modifications.
This CVE was publicly disclosed on 2026-02-05. There are currently no known public proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Terraform to manage Proxmox environments are at risk. This includes DevOps teams, infrastructure engineers, and anyone responsible for configuring and maintaining Proxmox clusters. Specifically, those who have followed the documentation's sudo recommendations are most vulnerable.
disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-25499 is to upgrade the Terraform Provider Proxmox to version 0.93.1 or later. Prior to upgrading, review your existing Terraform configurations and sudo rules to ensure they adhere to the principle of least privilege. Avoid using ALL or wildcard permissions in sudo configurations. If an upgrade is not immediately feasible, carefully examine the documentation and revise any sudo configurations that follow the insecure recommendations. Consider implementing stricter access controls and auditing to detect any unauthorized activity.
Actualice el proveedor de Terraform para Proxmox a la versión 0.93.1 o superior. Esta versión corrige la configuración de sudo insegura en la documentación. Al actualizar, se previene la posibilidad de escapar del directorio y editar archivos arbitrarios en el sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25499 is a HIGH severity vulnerability in Terraform Provider Proxmox where the documentation recommends insecure sudo configurations, potentially allowing privilege escalation.
You are affected if you are using Terraform Provider Proxmox versions prior to 0.93.1 and have followed the documentation's sudo recommendations.
Upgrade to Terraform Provider Proxmox version 0.93.1 or later and review your Terraform configurations to ensure they do not implement the insecure sudo rules.
There are no confirmed reports of active exploitation at this time, but the potential for privilege escalation warrants attention.
Refer to the Terraform Provider Proxmox repository on GitHub for the latest information and advisory: [https://github.com/bpg/terraform-provider-proxmox](https://github.com/bpg/terraform-provider-proxmox)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.