CVE-2026-27900: terraform-provider-linode debug logs could expose passwords and TLS private keys (fixed in v3.9.0)

What happened

On 2026-02-26 at 04:15:38 UTC, a post to the oss-security mailing list disclosed CVE-2026-27900, describing sensitive information exposure in Terraform Provider for Linode when provider/debug logging is enabled.

The report states that terraform-provider-linode versions prior to v3.9.0 could write sensitive fields into debug logs without redaction, including instance root passwords, StackScript content, object storage data, image share group tokens, and NodeBalancer TLS private keys (SSLKey).

Who is impacted

Teams using terraform-provider-linode < v3.9.0 are impacted if Terraform/provider debug logging is explicitly enabled (e.g., during local troubleshooting or in CI/CD), especially where logs are shipped to centralized collectors or shared with others.

Any authenticated user (or operator) who can access those debug/provider logs could potentially extract credentials and secret material from retained log output.

What to do now

• Upgrade to terraform-provider-linode v3.9.0 or later, which the disclosure says sanitizes debug logs by logging only non-sensitive metadata and redacting sensitive values.
• Disable provider/Terraform debug logging where possible (e.g., unset TF_LOG_PROVIDER and TF_LOG, or use WARN/ERROR levels).
• Restrict access to existing and historical CI/CD and log-aggregation data that may contain leaked values.
• Purge/trim log retention for affected time ranges.
• Rotate potentially exposed secrets, including instance root passwords, image share group tokens, NodeBalancer TLS private keys/certificates, and any secrets embedded in StackScripts.

Additional Information

The disclosure credits a report via Akamai's HackerOne bug bounty program and references the upstream v3.9.0 release, a GitHub pull request, and a commit implementing the log sanitization, plus Terraform debugging documentation for log configuration.