Platform
go
Component
github.com/bpg/terraform-provider-proxmox
Fixed in
0.93.2
0.93.1
CVE-2026-25499 affects the Terraform Provider Proxmox, specifically concerning its documentation. The vulnerability lies in a recommendation within the documentation that suggests insecure sudo configurations, which could lead to privilege escalation if exploited. This issue impacts users running versions before 0.93.1 and has been resolved in that version.
The primary impact of CVE-2026-25499 stems from the insecure sudo configuration recommendations within the Terraform Provider Proxmox documentation. An attacker could leverage these recommendations to craft a Terraform configuration that, when executed, grants elevated privileges on the Proxmox host. This could allow them to gain unauthorized access to sensitive data, modify system configurations, or even compromise the entire Proxmox environment. The blast radius extends to any resources managed by Terraform through this provider, potentially impacting virtual machines, containers, and storage volumes.
This CVE is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the potential for privilege escalation warrants attention. The EPSS score is likely to be assessed as medium due to the potential impact and the reliance on an attacker following specific documentation instructions. The vulnerability was publicly disclosed on 2026-02-05.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25499 is to upgrade the Terraform Provider Proxmox to version 0.93.1 or later. This version includes updated documentation that avoids the insecure sudo recommendations. Review existing Terraform configurations that utilize the Proxmox provider and ensure they do not implement the previously recommended insecure sudo rules. Consider implementing the principle of least privilege when configuring sudo access for Terraform users. After upgrading, confirm the fix by reviewing the provider's documentation and verifying that the recommended sudo configurations align with security best practices.
Actualice el proveedor de Terraform para Proxmox a la versión 0.93.1 o superior. Esta versión corrige la configuración de sudo insegura en la documentación. Al actualizar, se previene la posibilidad de escapar del directorio y editar archivos arbitrarios en el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25499 is a HIGH severity vulnerability in Terraform Provider Proxmox where the documentation recommends insecure sudo configurations, potentially allowing privilege escalation.
You are affected if you are using Terraform Provider Proxmox versions prior to 0.93.1 and have followed the documentation's sudo recommendations.
Upgrade to Terraform Provider Proxmox version 0.93.1 or later and review your Terraform configurations to ensure they do not implement the insecure sudo rules.
There are no confirmed reports of active exploitation at this time, but the potential for privilege escalation warrants attention.
Refer to the Terraform Provider Proxmox repository on GitHub for the latest information and advisory: [https://github.com/bpg/terraform-provider-proxmox](https://github.com/bpg/terraform-provider-proxmox)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.