Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
Terraform Plan Converter Exposes Sensitive Data in Reports
CVE-2026-27640
Summary
A bug in the Terraform plan converter tfplan2md exposed sensitive data like Azure resource properties and Azure DevOps variable values in human-readable reports. This has been fixed in version 1.26.1. Update to the latest version to ensure sensitive data remains protected.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| oocx | tfplan2md | <= 1.26.1 | – |
Original title
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi res...
Original description
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.5
Vulnerability type
CWE-212
- https://github.com/oocx/tfplan2md/releases/tag/v1.26.1 Product Release Notes
- https://github.com/oocx/tfplan2md/security/advisories/GHSA-5j8r-g94q-2f39 Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026