The vulnerability identified as CVE-2026-27640 affects tfplan2md, a tool that converts Terraform plan JSON files into Markdown reports for easier human consumption. Prior to version 1.26.1, tfplan2md contained a bug classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) that caused it to fail in masking sensitive values in the generated reports. Specifically, several rendering paths were impacted: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and the hierarchical sensitivity detection mechanism. Instead of replacing sensitive values with the placeholder "(sensitive)", the tool rendered actual sensitive data in plaintext. This flaw exposes potentially confidential infrastructure-as-code details such as secrets, credentials, or configuration parameters that should remain hidden. The vulnerability is remotely exploitable without user interaction and requires only limited privileges, increasing the risk of exposure in multi-user or CI/CD environments. The CVSS 4.0 score of 8.5 reflects the high confidentiality impact and ease of exploitation. No known workarounds exist, but the issue is resolved in tfplan2md version 1.26.1. Users are advised to upgrade to this version to mitigate the risk.

The primary impact of this vulnerability is the unintended disclosure of sensitive information contained within Terraform plans when converted to Markdown reports. This can lead to exposure of secrets, credentials, or other confidential configuration data to unauthorized users who have access to the generated reports. Such leakage can facilitate further attacks including privilege escalation, lateral movement, or compromise of cloud infrastructure. Organizations relying on tfplan2md in automated pipelines or shared environments risk widespread data exposure if they use affected versions. The vulnerability undermines the confidentiality of infrastructure-as-code workflows and may violate compliance requirements regarding sensitive data handling. Although no exploits are currently known in the wild, the ease of exploitation and high impact make this a significant risk for organizations using tfplan2md prior to 1.26.1.

To mitigate this vulnerability, organizations should immediately upgrade tfplan2md to version 1.26.1 or later, where the issue is fixed. Since no workarounds exist, patching is the primary defense. Additionally, organizations should audit existing Markdown reports generated by vulnerable versions to identify any inadvertent exposure of sensitive data and take appropriate remediation steps such as revoking or rotating exposed secrets. Implement strict access controls on Terraform plan reports to limit exposure. Integrate scanning tools to detect sensitive data leakage in generated documentation. Review CI/CD pipelines to ensure tfplan2md is updated and that sensitive reports are handled securely, including encryption at rest and in transit. Educate development and DevOps teams about the risks of using outdated tfplan2md versions and the importance of timely updates.