Terraform Linode provider leaks passwords and TLS keys in debug logs
TL;DR — The Terraform Linode provider wrote passwords, tokens, and TLS private keys into debug logs without redaction when debug logging was enabled.
What happened
The Terraform Linode provider is a HashiCorp Terraform plugin that manages Linode cloud infrastructure as code. CVE-2026-27900 discloses that terraform-provider-linode versions prior to v3.9.0 could write sensitive fields into debug logs without redaction when provider/debug logging is enabled. Exposed values include instance root passwords, StackScript content, object storage data, image share group tokens, and NodeBalancer TLS private keys.
IaC provider debug logs are often shipped to centralized collectors or shared during troubleshooting — making this a particularly insidious credential exposure vector that may persist in log archives long after the vulnerable version is replaced.
Who is impacted
- Teams using
terraform-provider-linode < v3.9.0with Terraform/provider debug logging enabled (e.g.,TF_LOG_PROVIDERorTF_LOGset). - Any operator who can access those debug/provider logs could extract credentials.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Disable provider debug logging where possible (unset
TF_LOG_PROVIDERandTF_LOG, or useWARN/ERRORlevels). - Restrict access to existing and historical CI/CD and log-aggregation data.
- Purge/trim log retention for affected time ranges.
- Rotate instance root passwords, image share tokens, NodeBalancer TLS keys/certs, and StackScript secrets.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.