CVE-2026-25499

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25499

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25499.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25499

Aliases

Published

2026-02-04T20:31:17.316Z

Modified

2026-03-14T12:47:40.605726Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

terraform-provider-proxmox has insecure sudo recommendation in the documentation

Details

Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1188",
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25499.json"
}

References

Affected packages

Git / github.com/bpg/terraform-provider-proxmox

Affected ranges

Type: GIT
Repo: https://github.com/bpg/terraform-provider-proxmox
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5e847af72b7bb4cf41b453dc3c5890672c1e764d

Affected versions

0.*

0.1.0

0.2.0

0.3.0

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.15.0

v0.16.0

v0.17.0

v0.17.0-rc1

v0.17.0-rc2

v0.17.1

v0.18.0

v0.18.1

v0.18.2

v0.19.0

v0.19.1

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.23.0

v0.24.0

v0.24.1

v0.24.2

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.29.0

v0.30.0

v0.30.1

v0.30.2

v0.30.3

v0.31.0

v0.32.0

v0.32.1

v0.32.2

v0.33.0

v0.34.0

v0.35.0

v0.35.1

v0.36.0

v0.37.0

v0.37.1

v0.38.0

v0.38.1

v0.39.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.40.0

v0.41.0

v0.42.0

v0.42.1

v0.43.0

v0.43.1

v0.43.2

v0.43.3

v0.44.0

v0.45.0

v0.45.1

v0.46.0

v0.46.1

v0.46.2

v0.46.3

v0.46.4

v0.46.5

v0.46.6

v0.47.0

v0.48.0

v0.48.1

v0.48.2

v0.48.3

v0.48.4

v0.49.0

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.50.0

v0.51.0

v0.51.1

v0.52.0

v0.53.0

v0.53.1

v0.54.0

v0.55.0

v0.55.1

v0.56.0

v0.56.1

v0.57.0

v0.57.1

v0.58.0

v0.58.1

v0.59.0

v0.59.1

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.60.0

v0.60.1

v0.61.0

v0.61.1

v0.62.0

v0.63.0

v0.64.0

v0.65.0

v0.66.0

v0.66.1

v0.66.2

v0.66.3

v0.67.0

v0.67.1

v0.68.0

v0.68.1

v0.69.0

v0.69.1

v0.7.0

v0.70.0

v0.70.1

v0.71.0

v0.72.0

v0.73.0

v0.73.1

v0.73.2

v0.74.0

v0.74.1

v0.75.0

v0.76.0

v0.76.1

v0.77.0

v0.77.1

v0.78.0

v0.78.1

v0.78.2

v0.79.0

v0.8.0

v0.80.0

v0.81.0

v0.82.0

v0.82.1

v0.83.0

v0.83.1

v0.83.2

v0.84.0

v0.84.1

v0.85.0

v0.85.1

v0.86.0

v0.87.0

v0.88.0

v0.89.0

v0.89.1

v0.9.0

v0.9.1

v0.90.0

v0.91.0

v0.92.0

v0.93.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25499.json"